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Introduction 


Our annual report is split into three sections. 


The first section is our Performance report, which reviews our work across 
2019/20. The sections set out our key achievements, with case studies providing 
in-depth examination of some of our most impactful work. 


This section concludes with statistics covering the full range of our operational 
performance, Summary reports on our financial performance, sustainability and 
whistleblowing disclosures made to us, and a statement on the ICO’s status as a 
going concern. 


The second section is our Accountability report, which includes declarations 
regarding corporate governance, remuneration and staffing, and parliamentary 
accountability and audit reporting. In this section we also provide further detail 
about our internal structures. 


The report concludes with our Financial statements, comprising our financial 
performance. 
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Information Commissioner’s foreword 


This annual report covers a key period in data protection and broader 
information rights. 


We have seen a transformative period in our digital history, with privacy 
established as a mainstream concern, and with complex societal conversations 
increasingly asking data protection questions. 


This report shows the ICO has been at the centre of those discussions, from how 
facial recognition technology is used to how we protect children online. Our Age 
Appropriate Design Code is the most important piece of work covered in this 
report, and shows the ICO at its best: tackling challenging issues, consulting 
with those affected and taking practical steps that will prompt important changes 
that benefit society. 


The Code is an example of the emphasis the ICO puts on enabling innovation. 
We carefully considered its impact on the industry and committed to a 
programme of practical support for businesses. The potential of new 
technologies and innovations needs public engagement, and trust around how 
data is used is an important factor in that. Our regulation can help encourage 
that confidence. 


This report demonstrates the innovation we look to demonstrate in our own 
work. Our regulatory sandbox service has supported a number of organisations 
to develop creative products and services that use personal data, benefiting from 
the regulator’s data protection advice and expertise. Our research grants 
programme has encouraged innovative research into privacy and data protection 
issues. And our service-focused changes across the past year have ensured we 
can continue to provide reliable and responsive services to the public, including 
our work around freedom of information. 
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The report also sets out our international work. The ICO continues to chair the 
Global Privacy Assembly, driving the development of the assembly into an 
international network that can have an impact on key data protection issues 
across the year. This benefits UK citizens, helping to protect people’s personal 
data as it flows across borders, and helping UK businesses operating 
internationally. 


While this report covers the financial year ending April 2020, it will be read in a 
world in which COVID-19 has changed society. The digital evolution of the past 
decade has accelerated at a dizzying speed in the past few months. Digital 
services are now central to how so many of us work, entertain ourselves and 
talk to friends and family. 


In this context, data is now less the trail that we leave behind us as we go 
through our lives, and more the medium through which we are living our lives. 


Yet COVID-19 has changed everything and nothing. The principles of data 
protection regulation continue: the importance of accountability, the emphasis 
on fair and reasonable treatment of people's data, the need to keep data secure, 
and so on. The law has not changed, and the ICO continues to be a 
proportionate and practical regulator. 


We have demonstrated this approach throughout the pandemic. We have 
published clear guidance on how we would regulate through this period, and 
committed to utilising the flexibility that the law offers for these unique times. 
And we have engaged positively with government and health authorities looking 
to use innovative approaches to reduce the impact of coronavirus. 


We have also led work to encourage international sharing of best practice on 
these issues, including an important statement on the value of record keeping 
during these historic times. 


I am grateful for the continuing support and guidance of my Management Board, 
both the Non-Executive and the Executive Directors. The way the ICO is 
structured (which we set out in detail on page 88) means their continuous 
support, challenge and guidance is invaluable to me as we navigate new waters 
in information rights. 


I am grateful too for the commitment and passion of my staff across our offices. 
It is a privilege to work with dedicated colleagues, particularly over the last few 
months when we focused much energy and services to government, 
organisations and individuals in the face of the COVID-19 public emergency. 


Our work, both in response to the pandemic and more broadly, will continue this 
year. It is now three years since I wrote in my first annual report as 
commissioner, and wrote that continued growth and citizen confidence in the 
digital economy needed an information rights regulator that is helpful, 
authoritative, tech-savvy, practical and firm. 


10 


Annual report 2019/20 | Performance report 


As we reflect on such a key year, I believe this report sets out how the ICO is 
now that regulator. 


od/— 


Elizabeth Denham 
7 July 2020 
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Our mission, vision, strategic 
goals and values 


Our mission 


To uphold information rights for the UK public in the digital age. 


Our vision 


To increase the confidence that the UK public have in organisations that 
process personal data and those which are responsible for making public 
information available. 


Our strategic goals 


1 


To increase the public’s trust and confidence in how data is used 
and made available. 


. Improve standards of information rights practice through clear, 


inspiring and targeted engagement and influence. 


. Maintain and develop influence within the global information 


rights regulatory community. 


. Stay relevant, provide excellent public service and keep abreast of 


evolving technology. 


. Enforce the laws we help shape and oversee. 


. To be an effective and knowledgeable regulator for cyber-related 


privacy issues. 
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Our values 

Ambitious — Working boldly, ready to test boundaries and take 
advantage of new opportunities; working with a 
sense of genuine urgency, continuously improving 
when striving to be the very best we can be. 

Collaborative— ^ Working towards achieving our goals, supporting 


one another whilst seeking and sharing information 
and expertise and working effectively with a range 
of partners to achieve our collective objectives. 


Service focused — Working impartially and ethically to provide 
excellent services - continuously innovating to 
remain relevant to the environment we regulate. 
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The legislation we regulate 


The Data Protection Act 2018 (DPA 2018) and the General Data Protection 
Regulation (GDPR) both commenced in May 2018 and build on and enhance 
the rights of individuals relating to personal data; including the right to know 
what information is held about them and the right to correct information that is 
wrong. The legislation also obliges organisations to manage the personal 
information they hold in an appropriate way. 


The Freedom of Information Act 2000 (FOIA) gives people a general right of 
access to information held by most public authorities. Aimed at promoting a 
culture of openness and accountability across the public sector it enables a 
better understanding of how public authorities carry out their duties, why they 
make the decisions they do and how they spend public money. 


The Environmental Information Regulations 2004 (EIR) provide an 
additional means of access to environmental information. The EIR cover more 
organisations than FOIA, including some private sector bodies, and have fewer 
exemptions. 


The Privacy and Electronic Communications Regulations 2003 (PECR) 
regulate the use of electronic communications for the purpose of unsolicited 
marketing to individuals and organisations, including the use of cookies. 


The Network and Information Systems Regulations 2018 (NIS) are derived 
from the European NIS Directive, which establishes a common level of security 
for network and information systems. These systems play a vital role in the 
economy and wider society, and NIS aims to address the threats posed to them 
from a range of areas, most notably cyber-attacks. 


The Infrastructure for Spatial Information in the European Community 
Regulations 2009 (INSPIRE) give the Information Commissioner enforcement 
powers in relation to the pro-active provision by public authorities of 
geographical or location-based information. 


The Re-use of Public Sector Information Regulations 2015 (RPSI) gives 
the public the right to request the re-use of public sector information and details 
how public bodies can charge for re-use and license the information. The ICO 
deals with complaints about how public bodies have dealt with requests to re- 
use information. 


The Investigatory Powers Act 2016 (IPA) imposes duties on communications 
service providers when retaining communications data for third party 
investigatory purposes where they have been issued with a notice from the 
Secretary of State. The Information Commissioner has a duty to audit the 
security, integrity and destruction of that retained data. 
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The Electronic Identification and Trust Services for Electronic 
Regulations 2016 (eIDAS) sets out rules for the security and integrity of trust 
services including electronic signatures, seals, time stamps and website 
authentication certificates. The ICO has a supervisory role towards organisations 
providing these trust services, including being able to grant qualified status to 
providers and the ability to take enforcement action. 
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Introduction 


A year in review 


This year, we have set out our achievements and successes in six categories, all 
of which contribute to our top strategic goal of increasing public trust and 
confidence in how data is used and made available. Our annual track in 2019 
showed 32 per cent of people have high trust and confidence in companies and 
organisations storing and using their personal information.+ 


1. Supporting the public 
Our role includes helping people understand how their data is used, and 
protecting people’s rights. 


Children’s privacy will be better protected online as a result of our work 
creating a design code for online services. 


2. Enabling innovation and economic growth 


Data protection can support innovation, by encouraging public trust in 
emerging technologies. 


Our Regulatory Sandbox helps organisations deliver new products and 
services which are of real benefit to the public, with the assurance that they 
have built-in data protection. 


3. Raising global data protection standards 


The ICO's international influence helps to raise data protection standards 
worldwide. 


Chairing the Global Privacy Assembly contributes to that, and helps ensure 
the personal data of UK citizens flowing across borders is subject to effective 
regulation. 


report- 20190626. pdf 


Annual report 2019/20 | Performance report 


4. Taking regulatory action 


The ICO offers consistent regulation, with clarity for business through our 
accessible guidance. 


We are working to better protect people’s data online by influencing change 
in the AdTech sector in a considered and proportionate way. 


5. Supporting the public sector 


Successful innovation in the public sector often requires the public’s trust in 
how their data is used, shared and kept safe. 


Our audit programme and work around transparency helps to encourage this 
public trust. 


6. Delivering the ICO service experience 
The ICO is committed to a service focused approach across our work. 
By integrating and expanding our advice and complaint services, we have 


been able to answer more people’s data protection and freedom of 
information concerns. 
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The year in summary 


May 2019 


07 Hall and Hanley Ltd is fined £120,000 
for sending over 3.5m direct 
marketing text messages 


08 The Be Data Aware campaign is 
launched 


30 The ICO publishes its report, 'GDPR - 
one year on' 


July 2019 


16 A consultation on an updated data 
sharing code of practice is launched 


29 The first participants for the ICO's 
data protection sandbox are selected 


31 The ICO publishes its 2019 annual 
track research 


September 2019 


04 The ICO issues a statement on the 
High Court Judgement on the use of 
live facial recognition technology by 
South Wales Police 


28 The ICO marks International Day for 
Universal Access to Information, with 
the theme ‘Leaving No One Behind!’ 


EEO) (8) 08) (nb 


April 2019 


05 The ICO announces latest funding 
recipients for its research grants 
programme 


08 Mikko Niva wins the ICO's Practitioner 
Award for Excellence in Data Protection 


12 A consultation is launched on the Age 
Appropriate Design Code 


12 Bounty UK Ltd is fined £400,00 for 
illegally sharing personal information 
belonging to more than 14m people 


June 2019 


04 The Information Commissioner makes a 
speech at a G20 side event in Tokyo 


19 The ICO joins the UK Regulators' Network 


20 The Adtech update report is published 
following industry engagement 


24 EE Limited is fined £100,000 for sending 
over 2.5m direct marketing messages to 
customers without consent 


27 Openness by Design, a new access to 
information strategy, is published 


August 2019 


09 A consultation is launched on the draft 
framework code of practice for the use 
of personal data in political campaigning. 


15 The ICO issues a statement on the use 
of live facial recognition technology in 
King's Cross, London 
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October 2019 


21 The Information Commissioner chairs 
the 41st Global Privacy Assembly in 
Tirana, Albania 

28 End of a series of blogs used to gather 
feedback for the development of 
guidance on the use of AI 


31 The ICO publishes Opinion on 
automated live facial recognition 


December 2019 


02 Launch of consultation, alongside the 
Alan Turing Institute, on AI Guidance 


February 2020 


12 Statement issued regarding the 
governments initial response to the 
Online Harms White Paper consultation 


28 ICO Codes of Conduct and Certification 
schemes open for business 


6) (8) G6) (8) (4 t, 


November 2019 


05 The Information Commissioner writes to 
all political parties in relation to data 
protection law, ahead of the December 
2019 general election 


18 Appointed our first Data Ethics 
Advisor 


27 ICO Deputy Commissioner Steve Wood 
appointed as Chair of the OECD Working 
Party on Data Governance and Privacy 


January 2020 


08 Launch of consultation on the draft 
direct marketing code of practice 


08 DSG Retail Limited is fined £500,000 
after a major cyber-attack 


21 The Age Appropriate Design Code is 
published 


23 The ICO attends the second ICIC FOI 
case handling workshop 


29 The ICO issues a statement on data 
protection and Brexit implementation 


March 2020 


02 The ICO issues CRDNN Limited £500,000 
fine for making more than 193m 
automated nuisance calls 


04 Cathay Pacific Airways Limited is issued 
fine of £500,000 for failing to secure its 
customers' personal data 


12 Statement issued on data protection and 
COVID-19 


17 The ICO moves to remote working as a 
result of COVID-19 pandemic 
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Section 1: Supporting the public 


An important aspect of the ICO’s role is protecting people’s data protection 
rights. 


It is important the public understand that there is a regulator that protects the 
public on data protection issues, and in 2019/20, the ICO resolved more than 
39,000 complaints made by members of the public concerned that their data 
protection rights had not been respected. 


We also work proactively to support the public. One of the ICO’s key roles is to 
help the public and government make informed decisions about how personal 
data is used. We do this by explaining issues in an accessible and 
understandable way, engaging with the mainstream media, publishing blog posts 
and using social media to explain our work to the public 


Protecting vulnerable people 


A key priority over the past year has been our engagement with children’s data 
privacy. Following detailed consultation, we produced an Age-Appropriate Design 
Code, which was laid before Parliament on 11 June 2020. (See case study 
below.) 


We supported the Gambling Commission's work on protecting vulnerable 
consumers in the gambling sector, ensuring that data protection was built into 
new proposals. We have also been involved in the UK Regulators' Network's 
work on how vulnerable people are protected across a range of sectors and 
services; including looking at how we can improve our own services. 


Case study: 


Age-Appropriate Design Code 


Summary 


The ICO is working to better protect children's privacy online, through the 
creation of design standards for online services. 
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Why this is important 


One in five internet users are children yet many of the services they access 
have not been developed with their needs, or their vulnerabilities, in mind. 


What we did 


We engaged with stakeholders including industry, child development 
experts, civil society groups and government to better understand the 
challenges involved. We also commissioned research working directly with 
children and their parents. 


This informed our drafting of a statutory code of practice setting out 15 
design standards that online services (eg apps, connected toys, social 
media, online games, educational websites and streaming services) should 
meet to protect children’s data. 


We then consulted on this draft Code. We considered the 450 responses we 
received and the final version included a greater focus on a risk-based 
approach to age assurance and allowed more flexibility in how 
organisations could meet the standards. The Code was submitted to the 
Secretary of State for Digital, Culture, Media and Sport (DCMS) in 
November 2019. The Government referred the Code to the EU Commission 
for scrutiny. That process was completed without any proposed changes 
and the Code was laid before Parliament on 11 June 2020. 


What the outcomes were 


Although the Code was only laid very recently, it already had a significant 
impact on the debate about children’s privacy and what data protection by 
design means. Organisations across the UK have been engaging with the 
Code and planning for how to implement it, and we have been engaging 
with stakeholders and have produced a short guide for small businesses to 
help with this process. It has increased the focus on children’s privacy 
internationally and has influenced our engagement with the Organisation 
for Economic Co-operation and Development (OECD). 


How this helped UK data subjects 


The Code requires online services to make the best interests of the child a 
primary consideration as they design and develop their products and 
services; placing responsibility on services to account for their decisions 
and to offer tools to help children and parents exercise the child’s rights. It 
requires services to provide a high level of protection by design and default, 
so that if a child does nothing to review or alter their privacy settings they 
are still protected. 


Other requirements include ensuring that terms and conditions are upheld, 
stopping the use of nudge techniques that encourage children to provide 
unnecessary personal data or weaken or switch off their privacy 
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protections, and ensuring that children’s data is not used in ways that have 
been shown to be detrimental to their wellbeing. 


Next steps 


Whilst we await the Parliamentary approval process, we will continue to 
engage with stakeholders to explain the requirements of the Code and to 
seek views about any additional support required. This will inform our work 
during 2020/21 to develop practical support before the Code comes into 
effect. We will also be developing our approach to regulatory supervision of 
those covered by the Code. 


Informing the public 


During the 2019 European elections, we launched our #Bedataaware campaign 
to explain to the public how political campaigners may use data analytics to 
micro-target voters. We produced a short explanatory animation and updated 
our guidance to the public. 


We also published blogs on how organisations should be using biometric data in 
a fair, transparent and accountable way. The blogs and associated 
communications gave people an insight into how organisations can use their 
personal data and informed people about their rights. 


Section 2: Enabling innovation and economic growth 


Data protection has an important role to play in supporting innovation. The 
potential of emerging technologies and approaches relies on public engagement, 
and trust around how data is used is an important factor in that. Organisations 
can contribute to developing trust through approaches such as data protection 
by design and default, which ensure data protection is built into new projects 
and innovations at an early stage. Regulation also plays a role, giving assurance 
to the public that checks and balances are in place to protect their information. 


As well as supporting the innovation that drives growth, our regulation also 
recognises the value of economic growth, from supporting SMEs with practical 
advice to building constructive and practical relationships with major technology 
companies. 


Supporting innovation 


The ICO provides advice and support to innovators at every stage of their 
journey to stimulate, support, facilitate, check and learn from innovative 
proposals and projects. We work with a wide range of organisations, from public 
authorities to private business, on topics from fraud prevention to healthcare. 
We have also worked with stakeholders to provide opportunities for informal 
‘road testing’. This has helped to build a robust but collaborative working 
relationship with industry and thought leaders. 
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One of the key products we launched this year to do this was our Regulatory 
Sandbox, which supports organisations who are developing products and 
services that use personal data in innovative and safe ways. Further information 
about the Sandbox is provided in the case study below. 


Our Innovation Hub provides similar expert advice to regulators and business 
with a focus on enabling organisations to build privacy by design into their 
innovation and development. The team supports other regulators’ projects to 
give businesses across a range of sectors the confidence to create innovative 
products and services that are both compliant and effective. The Hub has 
worked across the health, finance and legal sectors. The 18-month project was 
funded by the Regulators’ Pioneer Fund, and the support it has given includes 
advice on clinical trials data, AI and Open Banking. 


Given the success of the Hub, we plan to broaden the scope of organisations it 
can work with and include more collaboration opportunities with other innovative 
organisations such as Catapults, incubators, and universities. We will also make 
the case for greater cross-regulatory working through the Hub model as a means 
of bringing a streamlined approach to regulation and promoting data protection 
good practice in a time when emerging technologies and their challenges bring 
increasingly overlapping regulatory boundaries. 


Where businesses are innovating our Data Protection Impact Assessment 
(DPIA) Team has helped to ensure that they take account of data protection 
legislation and the rights of their customers. We have helped innovating 
businesses to properly document their consideration of data protection 
obligations and how they will ensure new projects do not pose a high risk to 
individuals’ privacy or wider rights and improve transparency: a major step in 
delivering data protection by design and default. 


We also have run ‘deep-dive’ sessions with some of our most significant Digital 
Economy based stakeholders, where high profile organisations have shared their 
approaches to embedding data protection by design with us. For example, a 
recent session provided an insight into how a leading social media company 
brought the DPIA process within their workflow for system functionality and 
feature developments. 


In the Summer of 2019 we undertook an Innovation Listening Tour; 
consulting and speaking to businesses, investors, government, academics and 
public sector organisations to better understand the risks and issues innovators 
encounter and how a regulator can help to remove barriers. We will embed the 
outcomes of that tour in our future work programmes. 


The development of AI has posed an increasing series of questions for 
innovators around how its use can be compliant with good data protection 
practice. In March 2019 we began a series of blogs which ran throughout the 
year, spearheaded by our Postdoctoral Research Fellow in Artificial Intelligence, 
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Dr Reuben Binns. These blogs were about the development of a framework to 
allow the auditing and assessment of the risk associated with the use of AI 
applications, and how to ensure their use is transparent, fair and accountable. 
This approach culminated in the launch of a formal consultation in February 
20202. We plan to publish the final guidance during the summer. 


During this year, we also began to conduct research and engage with a wide 
range of stakeholders about anonymisation and Privacy Enhancing Technologies 
(PETs). This included engaging with academia, industry, public bodies and the 
health sector. This has covered issues such as re-identification risks, 
anonymisation in context, data trusts, intruder testing, and genomics. We have 
also engaged with other data protection authorities and standards bodies to seek 
alignment. 


This has allowed us to clarify the key questions that need to be addressed in our 
guidance and informed our thinking on state-of-the-art tools and techniques. We 
will continue to engage with stakeholders about this throughout 2020/21, with a 
view to publishing blogs throughout the year on the development of our 
learning, culminating in new and updated detailed guidance. 


Case study: 


Regulatory Sandbox 


Summary 


The Sandbox service aims to support organisations to develop products and 
services that use personal data in innovative and safe ways. Through the 
Sandbox, organisations can engage with us; draw upon our expertise and 
advice on mitigating risks and on ‘data protection by design’, whilst 
ensuring that appropriate safeguards are in place. 
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Why this is important 


The Sandbox helps organisations deliver new products and services which 
are of real benefit to the public, with the assurance that they have built-in 
data protection. The Sandbox is also important in helping us understand 
how organisations are innovating in the use of personal data, and how we 
should best engage with this innovation. 


What we did 


We reviewed existing Sandboxes, talking to the Financial Conduct Authority 
who have operated a Sandbox for several years. We also took inspiration 
from work done looking at how regulation needs to evolve to handle 
innovation before consulting on our intended approach. We then developed 
a detailed discussion paper on how the service would operate before 
running workshops with potential end-users to test our approach. 


We launched the Sandbox beta phase in March 2019 for a sample of 
organisations to try out the service. We then chose 10 organisations to 
work with us; developing an understanding of their product and service and 
putting in place a bespoke plan for their involvement in the Sandbox. 


All plans are now underway, and we are working with the organisations in a 
range of activities including workshops, written advice, site visits, process 
mapping and detailed considerations of how our guidance needs to be 
applied in each of the organisation’s specific contexts. 


What the outcomes were 


Whilst still a work in progress we have already gained insight through 
workshops and offered advice on how our existing guidance should be used 
in their unique circumstances. The has pushed us to consider where 
additional guidance may help organisations with compliance. 


How this will help UK data subjects 
The work we do in the Sandbox will enable us to address some key issues 
for those innovating with personal data in the services they provide, 
including: 

e realising the benefits of data in the public sector; 

e consent challenges; 

e the challenges of new technology; and 

e data analytics. 


Next steps 


Over the remainder of the Beta phase we are looking forward to working 
alongside the organisations to develop some ground-breaking projects to a 
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fully working solution, delivering innovative and compliant products and 
services for the public good. 


These projects are potentially a blueprint for future work, laying down the 
privacy building blocks for future organisations, combining data protection 
and innovation. As we near the end of the Beta phase, we will undertake 
our own lessons-learned exercise and consider how best to develop the 
Sandbox service in future. Further information on the Sandbox is available 
on the ICO’s website?. 


Working with businesses 


A key aspect of our regulatory work is engaging with businesses and 
organisations to help them comply with the law. 


This year we introduced our new SME Service Hub. This allowed us to begin to 
evolve our services so that they are more accessible to non-expert and time- 
pressed small organisation owners and employees. It adds to our existing SME 
helpline and live chat service and includes easy-to-follow advice, toolkits, 
checklists, podcasts and FAQs to help SMEs get started in data protection. 


In the run-up to the UK’s exit from the European Union we created a suite of 
products and worked to get the links to our guidance shared on other people’s 
websites. We used this opportunity to continue to build links with organisations 
that support SMEs, helping us to reach wider audiences and giving them the 
opportunity to learn more about data protection. 


One of our main partners has been the Federation of Small Businesses, with 
whom we delivered a series of ‘Business Masterclass’ workshops. Attendees 
praised these events for being informative, accessible and engaging. We also 
broadcast live on Facebook in support of Small Business Saturday and attended 
the Festival of Enterprise. 


Throughout 2019/20, the ICO, as a regulator with responsibility across the whole 
economy (both domestically and internationally, as data has no borders), has 
continued to work to deepen our engagement with the major businesses we 
regulate, particularly those with significant data protection impacts. 


Our work extends beyond the UK, to include major technology companies based 
in North America (see case study below). Our broader international work, 
through the Global Privacy Assembly and Organisation for Economic Co- 
operation and Development (OECD) Privacy Committee also contributes to this 
work. 


bloqs/2020/03/combining: privacy-and-innovation-ico-sandbox-six-months-on/ 


26 


Annual report 2019/20 | Performance report 


Case study: 
San Francisco 


Summary 


The Information Commissioner and a delegation of her staff visited 
California to engage with large technology businesses. 


Why this is important: The key message in our engagements with 
businesses throughout the UK and the world in 2019/20 was the need for a 
new relationship of trust and cooperation between regulators and business, 
if we are to find the right balance between freedom and protection in the 
digital world. We need a richer engagement on the privacy implications of 
engineering and business models at an earlier stage, and to ensure that 
these are baked-in from the design stage. 


What we did 


During this visit, the Commissioner and her staff had extensive meetings 
with technology businesses small and large, including Twitter, Uber and 
YouTube, and board-level meetings with Apple, Facebook and Google. We 
met with the venture capital community, civil liberties campaigners, 
engineers, and privacy practitioners. The Commissioner gave a guest 
lecture and met staff and students at UC Berkeley School of Law, and met 
the key politicians in Sacramento behind the California Consumer Privacy 
Act (CCPA) - Assemblyman Ed Chau and Attorney General Xavier Becerra. 


What the outcomes were 


The reception was universally warm and welcoming and helped us to build 
strong relationships with key stakeholders. The UK’s brand of pragmatic 
and proportionate regulation was widely praised by businesses and 
lawmakers, as was our willingness to find new regulatory solutions to 
problems. It was striking how closely the privacy developments in the UK 
were being followed in California. For example, recognition of the strengths 
of the UK’s legislative framework and the ICO’s regulatory powers during 
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our investigations was attributed as being a catalyst to the efforts to 
develop the CCPA. 


How this will help UK data subjects 


When UK citizens use apps or digital services, they expect their data 
protection rights to be protected, irrespective of where the company 
providing the service is based. Our visit built lines of communication with 
big technology companies that will help us to better protect people’s data 
protection rights. 


Next steps 


The California Senate is already working on a ‘kid’s code’ modelled on our 
Age Appropriate Design Code (explained in detail earlier in the report). We 
came away from California with commitments to sustain and further 
develop this engagement. We will also continue to build on the relationships 
we established during the visit. 


Enabling economic growth 


Building our relationships with major technology companies has only been part 
of our work to enable economic growth. During 2019/20 we have worked to 
build our economic analysis capabilities, to ensure that economic impact is 
factored in at all stages of our work. This helps to ensure our approach to 
regulation is proportionate, and takes account of how we might support or 
enable economic growth, as required by the Regulator’s Code. 


In the coming year, the plan of work in this area will be headed by a newly 
appointed Head of Economic Analysis, who has joined us on secondment until 
January 2021. This will include training for staff, development of an impact 
assessment framework to inform out regulatory decisions, and greater analysis 
of the economic impact of our work. 


During 2021/22 we will also expand the size and capability of our economic 
analysis team to ensure that we have sufficient capacity to deliver this work 
throughout the year and beyond. 


Economic analysis has been an input into some of our major casework, ensuring 
that this work sufficiently factors in the economic context. Some key areas are 
the innovative use of data and public sector data sharing, international transfers, 
and AdTech, as well as more generally understanding the interactions between 
privacy and competition. 


Enabling economic growth also requires cooperation with other regulators. Work 
we have undertaken with the Competition and Markets Authority (CMA), Ofcom 
and others has allowed for a more joined-up approach to regulating in such an 
environment and greater clarity for stakeholders. 
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Our work with other regulators has given us a better understanding of data 
protection issues and how they can be approached as we are more aware of, and 
can minimise, the unintended consequences of proposed regulatory intervention. 
For example, joint working with regulators across the legal, health and finance 
sectors has identified emerging issues such as Al-assisted decision-making and 
targeting which touch on other regulators’ remits. 


We have also taken advantage of our membership of the UK Regulators’ Network 
(UKRN). The UKRN brings together regulators from the utility, financial and 
transport sectors for the benefit of consumers and the economy to share 
knowledge, explore cross-cutting issues and build better ways of working. 


Encouraging innovation in privacy 


We support the private sector to develop new privacy-friendly ideas, particularly 
through our research grants programme. A case study on this is provided below. 


We also recognise good practice by data controllers and their increasingly vital 
role through our annual ICO Practitioner Award for Excellence in Data Protection. 
At the end of the year we awarded our third annual award to Barry Moult, 
Information Governance and Privacy Consultant, and former Head of Information 
Governance at an NHS Trust. 


Chosen by an independent panel, Mr Moult was recognised for his commitment 
to protecting the data protection rights of NHS patients, showing passion for his 
subject, and wanting to leave a legacy of good data protection practice by 
training others. The ICO particularly welcomed Mr Moult’s comment that he 
wants patients to receive the best care and treatment they can by virtue of the 
most effective use and management of their personal information. 


This sums up what good data protection professionals understand: that good 
data protection is a help, not a hindrance, to innovation and excellence. 


Case study: 
The ICO Research Grants Programme 
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Summary 


The ICO’s Research Grants Programme provides £1m from 2017 to 2021 
to stimulate external expertise and encourage innovative research into 
privacy and data protection issues. It supports initiatives that contribute to 
raising public awareness of data protection issues and rights, promoting 
best practice and developing the ICO’s own policy thinking in emerging 
areas of interest. 


Why this is important 


The programme delivers high-quality outputs linking innovative practice 
from the research sector to practical benefits for the UK public: 


To increase the public's trust and confidence in how data is used and 
made available. 

To improve standards of data protection rights practice through clear, 
inspiring and targeted engagement and influence. 

To stay relevant, provide excellent public service and keep abreast of 
evolving technology. 


What we did 


We funded our first four projects in 2018/19 (Phase 1). Those projects, 
which are now completed, covered: 


machine readable privacy notices and data protection rights in 
banking and insurance (Open Rights Group); 

digital privacy skills for children toolkit (London School of 
Economics); 

privacy tool and user interface for health care records (Teesside 
University); and 

a tool to evaluate the risk of re-identification (Imperial College 
London). 


While the ICO funds and supports these research projects under the Grants 
programme, the research itself is independent and we do not seek to 
influence its conclusions. 


For the 2018-19 call (Phase 2), we received 67 applications. Key themes 
from the applications included AI, machine learning and biometric data, as 
well as children's data, improving practice for SME's and privacy 
applications of blockchain. We funded the following four ongoing projects: 


research on the impact of data protection laws on genomic 
technologies (PHG Foundation); 


research on privacy by design in smart homes (University of Oxford); 
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e data protection rights inclusion for homeless people (The Connection 
at St Martins in the Field); and 


e training programme for researchers working with routinely collected 
data (Cardiff University). 


What the outcomes were 


The Phase 1 projects have ended with key outcomes including the 
development of online open source toolkits and in-depth reports 
highlighting good practice for children’s privacy, data protection rights in 
the banking and insurance sector and anonymisation of personal data as 
well as the sharing of patient healthcare data. LSE’s work on children’s 
privacy was highlighted by the UN Special Rapporteur’s end-of-mission 
statement on the Right to Privacy in the United Kingdom. 


LSE’s research has also fed directly into our own work, such as the Age 
Appropriate Design Code. Other projects, such as ICL’s research on data 
anonymisation supports the development of the ICO’s Anonymisation Code 
of Practice. Alongside this, PHG Foundation’s work on genomic technology 
and the GDPR continues to develop and inform our understanding of an 
emerging and important sector. 


How this helped UK data subjects 


These project tools help the public understand complex and emerging 
technological and data protection issues. Their open source nature ensures 
that others can continue to explore and develop these tools, maintaining 
their relevance and use beyond the initial scopes of the projects. 


Furthermore, many of the projects have directly engaged with the UK 
public, seeking to understand their experiences and concerns about data 
protection issues, from their rights under GDPR, concepts of privacy and 
data flows. This has ensured that project outputs remain accessible and 
relevant as well as providing a key source of qualitative data for the ICO to 
draw upon. 


Next steps 


We will pull together what we have learned from Phase 1 and its outputs 
and bring the Phase 2 projects to a conclusion. Phase 3 projects will be 
launched in 2020. Finally, a launch for Phase 4 is planned for 2021. 


We are also considering how the Grants programme might develop in the 
future. 


Section 3: Raising global data protection standards 


The ICO's international influence helps to raise data protection standards and 
regulator co-operation worldwide. We take a leading role in several multi-lateral 
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forums. This includes being Chair and Secretariat of the Global Privacy Assembly 
(GPA), which brings together 130 data protection authorities worldwide to 
address emerging policy and technical issues and develop greater cooperation. 


Improvements to global data protection standards help to increase our 
confidence that the personal data of UK citizens flowing across borders is subject 
to continuous scrutiny and effective regulation from a connected network of 
regulators. This also helps to ensure that UK businesses are supported to 
operate globally, which is particularly vital to support the digital economy after 
the UK’s exit from the European Union. 


Case study: 


Global Privacy Assembly (GPA) 


Summary 


The Commissioner is currently Chair of the GPA and ICO staff provide the 
Secretariat as well as being both leads and members of key working 
groups. This commitment demonstrates and advances the UK’s leadership 
of the global privacy and data protection agenda, influencing the direction 
of the GPA’s work to champion regulatory cooperation and better enable 
data protection and privacy authorities to fulfil their mandates for the 
benefit of individuals and organisations. 


Why this is important 


Individuals suffer when data protection goes wrong; and free flows of data 
are key to trust in trade and economic relationships. The GPA works to 
develop consistent approaches to emerging data protection issues that 
members can then use to influence their respective government policy 
makers. This is particularly important in today’s globalised world with cross- 
border data protection issues and in the context of technological advances 
such as AI, rapid changes in the digital economy and the requirements to 
enforce when companies operate worldwide. Our Chair, Secretariat and 
active Working Group roles allow us opportunities to influence the GPA's 
work in support of our domestic regulatory role. 
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What we did 


The ICO led a new strategic direction for the Assembly, developing a highly 
significant resolution on the Conference's Strategic Direction 2019 - 2021 
which was adopted at the October 2019 conference held in Tirana. This 
resolution is coupled with the first ever GPA Policy Strategy and sets out a 
clear vision for the GPA for the next two years. 


The policy strategy is based on three pillars: evolution toward global 
frameworks and standards; greater enforcement cooperation; and 
identifying priority policy themes and support the GPA's strategic priorities. 
The move to strengthen regulatory co-operation paves the way not only to 
sharing best practice, but potentially sharing lines of enquiry year-round to 
improve authorities’ responses to the digital economy challenges for 
individuals’ personal data. 


In October, together with the Albanian conference hosts, the ICO welcomed 
more than 700 participants to the annual conference. These represented 90 
data protection and privacy authorities, and stakeholder groups from across 
the law, industry, academia, law enforcement, civil society privacy 
advocacy group and international organisation sectors. 


In addition, the conference and around 25 side events discussed emerging 
priorities for data protection authorities such as practical accountability 
methods in organisations and cross-border convergence in data protection 
law, bringing together ideas that authorities can use at local level. 
Conference members also followed up on the conference’s recent 
Declaration on AI and global promotion of the importance of privacy as a 
fundamental human right. 


What the outcomes were 


The implementation of the newly adopted policy strategy is now well 
underway and will continue throughout 2020. 


The documents adopted provide a roadmap for action*. The GPA will take 
future action to establish a contact group to proactively engage with other 
key stakeholder groups in the privacy arena. 


How this helped UK data subjects 


The GPA initiative is a substantial effort in driving up global standards of 
data protection, with commitment from data protection and privacy 
authorities from every continent where there is data protection law. 
Initiatives such as this help to bolster public confidence that the personal 
data flowing across borders is subject to continuous scrutiny and effective 
regulation from a connected network of regulators. 


How this helped UK businesses 
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Promoting good data practices and common global frameworks through the 
GPA assists in improving consumer trust in the digital space, which in turn 
helps to boost the economic outlooks of British businesses. GPA resolutions 
help to achieve consistency between members’ outreach strategies to 
business, other regulators and other stakeholders. The business sector will 
also be able to share their views on global agenda issues addressed by 
GPA, through business voice representation in the new GPA Reference 
Panel. 


Next steps 


The GPA policy strategy implementation will be reinforced by an outward 
looking approach to engaging with key groups of stakeholders, in particular 
civil society, in a reference panel to be formed in 2020. 


European Data Protection Board (EDPB) 


Until 31 January 2020 we were a full member of the EDPB as it continued to 
support the implementation of the GDPR. We have played an active role in the 
Board’s expert sub-groups, on issues including AdTech and guidance on new 
technologies, and in the development of EDPB’s approach to codes of conduct 
and certification. We are also involved in many one-stop-shop enforcement 
investigations and applications by multi-national corporations for authorisation of 
binding corporate rules for intra-group transfers of personal data. 


After the UK’s exit from the European Union in January 2020, our membership of 
EDPB ended and our role in the one-stop-shop system will cease at the end of 
the transition period. During the run-up to this, we therefore focused on building 
relationships with key European data protection authorities to ensure we 
continue our strong relationships and strong data protection for the UK public 
and organisations after the UK’s exit from the EU. 


Expert advice and guidance on the UK’s exit from the European Union 


We played an active role during 2019/20 supporting Government planning for 
No-Deal scenarios and ensuring that guidance and information was available for 
businesses and the public sector. And since the UK left the EU on 31 January 
2020 the ICO has providing expert independent advice to Government to 
support their consideration of new approaches to continued regulatory 
cooperation between the UK and EU and to define ICO's role in the EU Adequacy 
process. A key area of work for the coming year will therefore be developing new 
mechanisms and approaches for our relationship with the EDPB, EU Commission 
and individual European data protection authorities now that the UK has left the 
EU. 


^ More information on documents adopted by the Assembly on its website: 
https://globalprivacyassembly.org/document-archive/adopted-resolutions/ 
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Chairing the Organisation for Economic Co-operation and Development 
(OECD) Data Governance & Privacy Working Group 


Since November 2019, the Deputy Commissioner for Regulatory Strategy has 
been Chair of the new OECD Data Governance & Privacy Working Group, a key 
sub-committee of the OECD Committee for Digital Economy Policy. 


Co-operating on International enforcement work 


International enforcement and cooperation between supervisory and data 
protection authorities is essential to ensure effective responses to major data 
privacy or security incidents, some of which have affected large numbers of data 
subjects on a global scale. 


This work includes our involvement in several information sharing and 
cooperation platforms, and the development of bilateral relationships with 
specific international regulators in connection with specific investigations or 
areas of concern. In the EU system, the ICO has Lead Supervisory Authority 
status (LSA) for several current investigations, and where we are not the LSA, 
we have continued to ensure that the data protection rights of UK subjects are 
protected. 


We have also developed our relationships with authorities responsible for other 
legislative obligations such as NIS; this is key to achieving an effective response 
to network security and data security incidents where large numbers of 
individuals in multiple territories are affected. 


Section 4: Taking regulatory action 


The ICO offers strong, predictable and consistent law and regulation, married 
with clarity for business through our accessible guidance and our considered, 
consultative approach to novel issues. 


The ICO devotes around three quarters of its resources to proactive engagement 
activities. In this section of the report we set out the highlights of this work in 
2019/20. 


In addition to engagement, we took action. In total throughout 2019/20, the ICO 
there were 236 instances of the ICO taking regulatory action in response to 
breaches of the legislation it regulates. That included 54 Information Notices, 
eight assessment notices, seven Enforcement notices, four cautions and eight 
prosecutions and fifteen fines. During the year we conducted over 2,100 
investigations. This section of the report provides some information on some of 
the key regulatory action we have taken throughout the year. 


Understanding and influencing innovation practice and culture 


As set out in the San Francisco case study above, we have engaged with our 
stakeholders in the technology sector to develop a deeper understanding of their 
approaches to data protection by design in innovation, and to set out ICO 
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positions on high-profile issues such as age-appropriate design, targeted online 
advertising, and personalisation of online services. This engagement was 
demonstrated by Board-level meetings with Apple, Facebook and Google in 
February. 


Case study: 


AdTech: Real Time bidding 


Summary 


AdTech is a form of advertising that involves the automated buying and 
selling of online advertisements in real time. Real Time Bidding (RTB) refers 
to the process whereby advertisements are auctioned in real time. We 
began reviewing data protection practices in the RTB ecosystem in Autumn 
2018 in response to general concerns about how personal data is processed 
to support the auction of online adverts, the large scale (billions) of 
transactions a day and the high speed nature of the processing. 


Why this is important 


RTB raises several data protection rights risks due to the nature of the 
processing activities, eg large-scale processing, profiling and automated 
decision making, combining and matching data from multiple sources, 
tracking of location or behaviour, and invisible processing. The auctions 
involve processing the personal data of most internet users with millions of 
‘pid requests’ processed every second and shared through an ecosystem of 
numerous participants. 


Our concerns centred on compliance of RTB with the data protection 
framework (DPA 2018, GDPR and PECR), which included issues around the 
processing of special categories of data, the security of data as it is 
transferred between many third parties, and the possibility of applying 
legitimate interests as a lawful basis for processing. 


What we did 


We undertook an intelligence gathering and engagement exercise to better 
understand the nature of the RTB ecosystem, and to evaluate our own 
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concerns as well as those presented to us by external parties (Brave and 
Privacy International). On 20 June 2019 we released the Update report 
which identified nine areas of concern: 


e Non-compliance with PECR requirements about the use of cookies and 
similar technologies, and applicable consent requirements. 


e Processing of special category data was taking place without explicit 
consent, and no other condition applies. 


e The standard of legitimate interest assessments within industry 
provided limited assurance of the understanding of this lawful basis 


e Lack of understanding about the legal requirements to undertake data 
protection impact assessments in RTB, leading to low confidence that 
the risks to data protection rights and freedoms had been properly 
assessed and mitigated. 


e Privacy information provided to individuals lacks clarity and is overly 
complex, with industry frameworks being insufficient to ensure 
transparency, fair processing, and valid consent. 


e Extensive processing of personal data and its disclosure to multiple 
organisations without the knowledge of individuals. 


e Inconsistent application of technical and organisational measures. 
e Inconsistent data minimisation and storage limitation controls. 


e Individuals have no guarantee about the security of their data once it 
enters the ecosystem. 


In July 2019 we revised our guidance on the use of cookies which had 
direct relevance to the processing in AdTech. This, and the update report, 
helped provide clarity to industry on the issues and what we expected 
participants to do to ensure transformation of practices and compliance 
with the law. We provided a ‘grace period’ of six months (to the end of 
December 2019) to enable participants to develop plans for change. 


During this period, we continued our engagement with trade associations 
and other stakeholders, in particular IAB Europe and Google. Since then we 
have noticed that while some parts of the industry have started to 
recognise that change is necessary, there is still significant inertia. 
Therefore, we are now using the intelligence gathered and our engagement 
activity to develop an appropriate regulatory response 


What the outcomes were 


We have significantly raised awareness amongst the industry and media of 
the issues within the RTB ecosystem. 


The level of engagement from industry on this issue has demonstrated their 
appetite to address the concerns we have identified. In addition, we have: 
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e developed a robust, evidence-based assessment of the concerns 
identified; 

e articulated to data subjects and controllers, in a clear manner, the 
issues and expected changes; 


e engaged with industry to help them understand how they can 
transform their approach; and 


e started to develop a plan to address the inertia that still exists by 
considering what the appropriate regulatory response should be 


How this helped UK data subjects 


Our work on AdTech and subsequent press interests has led to increased 
awareness among individuals about how their data is processed online. 
Additionally, through better understanding by industry of the issues, we 
have also seen the start of changes that will lead to positive outcomes (eg; 
Google and the IAB have committed to undertake changes that will 
transform practices). 


However, the ICO’s AdTech work is not complete, and significant additional 
effort will be needed to address the issues within the RTB ecosystem. This 
will be the focus for 2020/21. 


Next steps 


In line with our regulatory approach during the COVID-19 pandemic, at the 
time of writing we have made the decision to pause our investigation into 
RTB and the AdTech industry. It is not our intention to put undue pressure 
on any industry at this time. However, our concerns about AdTech remain 
and we aim to restart our work during 2020/21, when the time is right. 


Updating and producing new guidance 


We developed new guidance in the event that the UK leaves the European Union 
with no deal in place, Special Category Data (Articles 9 and 10), the Immigration 
Exemption, and on Special Category Data and Part III Processing. We also 
created detailed guidance, with the Alan Turing Institute, on how to provide 
explanations of decisions made with AI, which was published in May 2020°. 


In addition, we updated guidance on a wide range of areas, including Your Credit 
Explained, Right of Access, Right to Erasure, Right to Object, as well as on FOIA 
and the EIR. 


In a recent survey 91% of respondents ranked ICO guidance as the single most 
useful source of information to help them develop their internal compliance. 
77% of respondents also rated our ICO Guide to GDPR and as more useful than 


> https://ico.org.uk/for-organisations/quide-to-data-protection/key-data-protection- 
themes/explaining-decisions-made-with-ai/ 
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other sources of information such as third-party frameworks (11%%) 
consultancy support (10%) and law firm advice (4%). 


All our guidance is available on our website at ico.org.uk. 


Launching new GDPR services 
We launched new services that were introduced by the GDPR: 


e Codes of conduct help organisations that represent a group of data 
controllers (eg trade, membership or professional bodies) to support 
compliance with key data protection issues. 


e Certification allows organisations to develop GDPR certification schemes 
for personal data processing within defined products, services or 
processes. 


The launch represents the culmination of over a year of negotiations with 
external stakeholders, our national accreditation body UKAS and our European 
counterparts at European Data Protection Board (EDPB) to ensure we have the 
right processes and systems in place to support these new processes. Further 
information is available on our website®. 


In 2020/21 we plan to launch our Accountability Framework. This will, for the 
first time, set out clearly our expectations on the key practical measures which 
organisations need to have in place to demonstrate compliance with data 
protection rights legislation. 


Taking proportionate action when required 


We have concentrated resources on the investigation of cases aimed at 
improving data security practices, reducing unlawful access, and addressing 
compliance concerns about the use of new surveillance technology. These areas, 
along with nuisance calls and texts, have dominated our investigative and 
enforcement activities. 


We identify the key areas of concern through our Strategic Threat Assessment, 
which draws on information gathered throughout the ICO to identify emerging 
threats to information rights. A case study on this is provided below. We assess 
all potential cases against a prioritisation framework, with the highest priority 
cases subsequently assessed against a detailed risk assessment framework. This 
enables us to identify where risk, impact or harm is highest and to allocate 
resources accordingly. 


In May 2020 we issued an enforcement notice against Her Majesty’s Revenue 
and Customs (HMRC) following an investigation into HMRC’s voice authentication 
service. Our investigation found that HMRC did not have adequate consent from 


of- conduct- and- certification- schemes-open-for-business/ 
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its customers for this service and the enforcement notice ordered HMRC to 
delete any data it continued to hold without consent. Further information is 
available on our website’. 


During the year our investigations resulted in four cautions and eight 
prosecutions. These cases were prosecuted under section 55 of the Data 
Protection Act 1998, section 77 of the Freedom of Information Act 2000 and 
Section 170 of the Data Protection Act 2018. In 75% of cases the defendants 
submitted guilty pleas negating the necessity for protracted trials with the 
associated costs. 


The case prosecuted under section 77 of the Freedom of Information Act 2000 
was the first successful prosecution of its kind. The defendant in this case was 
convicted of an offence of blocking records with the intention of preventing 
disclosure. 


Section 77 of FOIA states a person “is guilty of an offence if he alters, defaces, 
blocks, erases, destroys or conceals any record held by the public authority, with 
the intention of preventing the disclosure by that authority of all, or any part, of 
the information to the communication of which the applicant would have been 
entitled.” 


This case emphasised the critical importance of transparency for public 
authorities in the way they carry out their business. 


2019/2020 saw the issue of the first penalty notices under the Data Protection 
Act 2018 for non-compliance. We publish details of the enforcement action we 
have taken on our website®. 


Two of our most significant cases this year were the major data breaches of 
British Airways and Marriott, which received a large amount of media attention 
in July 2019. The regulatory process is ongoing in these cases. 


We also settled a case with Facebook, which had been brought under the DPA 
1998. The full statement on this settlement is available on our website’. 


The ICO continues to have a range of powers, which we use proportionately and 
in response to the risk. Below are three examples: 


Law enforcement use of facial recognition technology in public 
places 


7 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/05/blog- 
using-biometric-data-in-a-fair-transparent-and-accountable-manner/ 

8 https://ico.org.uk/action-weve-taken/enforcement/ 

? https://ico.org.uk/about-the-ico/news-and-events/news-and- 
blogs/2019/10/statement-on-an-agreement-reached-between-facebook-and-the-ico/ 
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We conducted an investigation into the law enforcement use of facial 
recognition technology (FRT) in public places. The investigation particularly 
focused on the use of live facial recognition capabilities in South Wales 
Police (SWP) and the Metropolitan Police Service (MPS). 


During the course of the investigation the ICO attended police deployments 
of FRT and conducted compliance assessments of SWP and MPS, including 
onsite examination of policies, procedures and technology. 


The investigation did not limit itself to reviewing facial recognition 
capability in the context of data protection legislation, but scrutinised the 
entire legal framework within which FRT was operating in order to inform 
and develop the ICO’s policy positions regarding lawful basis, human 
rights, and the adequacy of the technology on bias and anti-discrimination. 


Based on our investigative findings, the MPS and SWP have made 
significant changes to the ways in which they process personal data, 
setting clear direction on standards and quality nationally. The ICO also 
published the first Commissioner’s Opinion in October 2019 under data 
protection legislation??, explaining the application of data protection law to 
the use of FRT for the law enforcement purpose. 


The investigation has driven improved practices in the UK, and we have 
seen revised law enforcement policies and procedures to align them with 
the Opinion and continue to have positive engagement with police 
organisations. The ICOs investigative and policy delivery on FRT were 
presented at the Asia-Pacific Privacy Authorities (APPA) forum in the 
Philippines in December 2019 and the ICO has received excellent feedback 
from data protection experts internationally. 


This case has helped the public understanding of the issues that affect their 
information rights and privacy. In 2019 the ICO intervened in a judicial 
review of SWP's use of facial recognition technology. Critically the court 
agreed with the ICO's evidence that the facial recognition process relies 
upon biometric data of individuals, irrespective of whether a match 
occurred, and that data protection legislation applies. The court also 
confirmed that the Commissioner has a primary role in regulating the use 
of FRT by the police. The ICO continues to be involved in the appeal case, 
which is due to be heard in June 2020. 


Metropolitan Police Service (MPS) and the Gang Matrix 


Last year we served a notice on the MPS for their work on the gang matrix. 
This was a database which recorded intelligence related to alleged gang 


10 https://ico.org.uk/media/about-the-ico/documents/2616184/live-frt-law-enforcement- 
opinion-20191031.pdf 
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members and victims of gang related crimes. We have continued our work 
to ensure that the terms of the November 2018 enforcement notice were 
met. This notice required MPS to make a significant number of changes to 
their governance, policies and procedures to improve compliance with data 
protection law. This has resulted in substantial improvements to 
compliance and the removal of many individuals who MPS has agreed 
should not have been on the matrix. 


Nuisance marketing firms 


We have continued to act against nuisance marketing firms. The publicity 
generated by these fines, and our communications, highlight to the public 
what they can do to stop and report nuisance calls. 


The work highlights the types of calls the public and vulnerable people 
could receive ranging from calls about funeral plans, home security, PPI 
and boiler replacement. We received 102,611 complaints from the public 
about Automated and Live calls. We have continued to investigate incidents 
reported by the Communication Service Providers’ under Reg 5a, and 
investigated breaches of the DPA where issues have crossed both pieces of 
legislation. Investigations concluded led to us issuing seven Monetary 
Penalties, five Enforcement Notices, and 14 PECR 5a Penalties (year to date 
figures). 


Case study: 
Strategic Threat Assessment 


Summary 


Our Intelligence Strategy to 2021 sets out how we use tactical and 
strategic intelligence to drive activity across the ICO. A key part of this is 
our new Strategic Threat Assessment, which is our most authoritative 
threat narrative, produced for the first time in 2019. This consolidates the 
importance intelligence has in shaping our regulatory work. 
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Why this is important 


The range of risks and opportunities encountered by the ICO continue to 
increase as technology advances and the growth of the digital economy 
presents us with data flows on an unprecedented scale. This requires us 
to effectively exploit existing information sources and explore new ones in 
order to develop a rich picture of the evolving information rights 
landscape. If we are to effectively uphold data protection rights for the 
UK public in the digital age, we must ensure we take an intelligence-led 
approach to deploying our resources. Our Strategic Threat Assessment 
allows us to do this. 


What we did 


Our Strategic Threat Assessment draws on information and expertise 
from across the ICO, national and international stakeholders, media 
reports, academic research and information from the public, including 
through our complaints handling. We have enhanced the range of 
information available to us and therefore the potential to identify new 
issues quickly through developing new stakeholder relationships, 
updating our suite of Memoranda of Understanding and developing an 
internal network of ‘Intelligence Champions’. 


We analyse and assess this information and develop it into actionable 
intelligence. We have begun to make use of new risk assessment models 
in order to prioritise specific threats and theme areas. These threats and 
theme areas capture both existing threats and those that are approaching 
us on the horizon. 


Our 2019 Strategic Threat Assessments identified threats about: 


e cyber security; 

e children and vulnerable adults; 

e surveillance and associated technologies; 
e Artificial intelligence; 

e public sector digital transformation; 

e advertising technology; and 

e invisible processing. 


For each area we explored more specific issues and made 
recommendations to cross-office colleagues about how to best direct our 
resources. In addition, we also conducted some broader horizon-scanning 
across topics not covered by the above list. However, this is an evolving 
process and new threats continue to be identified and existing threats 
refocused and redefined. 


What the outcomes were 
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We have produced two strategic threat assessments during this financial 
year. These have in turn been used to identify the three impacts and six 
priorities, set out earlier in the report. 


We have developed a new Tasking and Coordinating process in order to 
identify, prioritise and track work about each priority area. We have used 
new High Priority Investigation processes to ensure enhanced resource, 
focus and governance for areas presenting greatest risk to UK individuals 
and organisations. 


How this helped UK data subjects 


Through effective prioritisation we are able to focus on those areas 
presenting the greatest threat to UK data subjects and ensure our work 
has as wider impact as possible. Ensuring we make use of all information 
sources available to us in order to do this allows us to accurately capture 
views from individuals, businesses and other stakeholders, nationally and 
internationally to inform this decision making process. 


Next steps 


This work continues and now forms a core part of the ICO risk 
assessment and prioritisation methodology. We plan to produce another 
full Strategic Threat Assessment during the 2020/21 financial year and 
will use this to continue to identify and support work in line with the ICO’s 
Information Rights Strategic Plan and Regulatory Action Policy. 


Involvement in litigation 


We continue to be involved in litigation through which the laws we regulate are 
clarified. For the decision notices we issue under section 50 of the Freedom of 
Information Act 2000, there is a right of appeal to the First-tier Tribunal 
(Information Rights) then possible appeals to the Upper Tribunal and higher 
courts. This year, for example, the Commissioner was actively involved in 
litigation before the Court of Appeal which involved determining the approach to 
be taken when a request for information to a public authority includes 
environmental information (as defined under the Environmental Information 
Regulations 2004). 


In addition, this year the Commissioner has intervened in a number of court 
cases which had the potential for a significant impact on data subjects and the 
interpretation of the DPA 2018. These included: 


e Intervening in an appeal before the Supreme Court against the lawfulness 
of the Home Secretary’s decision to provide mutual legal assistance to the 
United States, without seeking an assurance that the information provided 
would not be used in a prosecution that could lead to the death penalty. 
The judgment was handed down by the Supreme Court on 25 March 2020, 
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and the Court unanimously concluded that in so far as the information 
provided constituted personal data, the decision was unlawful under the 
Data Protection Act 2018 on the basis that the Home Secretary had failed 
to give consideration to the necessary tests under the Act to ensure the 
protection of data subjects. (Elgizouli v Secretary of State for the Home 
Department (Interveners) ICO, Professor Heyns, the Death Penalty Project 
and Reprieve [2020] UKSC 10). 


e Intervening in a judicial review brought against South Wales Police over 
the use of Automatic Facial Recognition in public spaces to look for persons 
on a Wales-wide wanted list. The case is now under appeal to the Court of 
Appeal and is currently listed for a hearing in the Court of Appeal on 23-25 
June 2020 (R (on the application of Bridges) v The Chief Constable of 
South Wales Police and the Secretary of State for the Home Department 
(interested Party) ICO (Intervener), (Surveillance Camera Commissioner) 
- [2019] EWHC 2341 (Admin)). This is linked to our opinion on Live Facial 
Recognition, referred to earlier in the report. 


e Intervening in a judicial review brought by two campaign groups against 
the Government challenging the lawfulness of the Immigration Exemption 
in the DPA 2018. As the independent statutory regulator under the DPA, 
and the supervisory authority for the United Kingdom under the GDPR, the 
Commissioner has a direct interest in the outcome of this claim and 
intervened (with the consent of the parties) to assist the Court on the 
legislative framework for data protection. The matter is currently under 
appeal at the Court of Appeal. (The 3million and Open Rights Group v The 
Secretary of State for the Home Department and The Secretary of State 
for Digital, Culture, Media and Sport (Interveners) Liberty and ICO) [2019] 
EWHC 2562 (Admin)). 


Section 5: Supporting the public sector 


The ICO has a clear focus on supporting organisations to comply with the law. 
This is reflected in the way we are invited to offer our expertise to the public 
sector, from supporting digital innovation in the health sector to working 
constructively on complex areas with the police. 


Central to this work is ensuring that these services maintain the public’s trust in 
how their data is used, shared and kept safe. 


Promoting transparency in the public sector 


In June 2019 we launched our new Freedom of information strategy, Openness 
by Design following a public consultation. The strategy sets out five goals that 
directly link to our Information Rights Strategic Plan (IRSP) and our Regulatory 
Action Policy (RAP). The strategy sets out how we work to create a culture of 
openness in public authorities through casework, guidance and promoting good 
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practice. It also makes clear that, where necessary, we will take action to 
enforce access to information rights where we see they are not being upheld. 


Openness by Design also commits us to making the case for legislative reform to 
improve transparency in the public sector, as set out in our Outsourcing 
Oversight? report published last year. Our focus here will be about building a 
debate about the importance of openness and transparency as a fundamental 
part of a healthy, functioning democracy. 


Chairing the International Conference of Information Commissioners 
(ICIC) 


The Information Commissioner chairs the ICIC, where she brings a focus on 
embedding governance processes stemming from the 2019 ICIC Charter 
(introduced during the Commissioner’s tenure as Chair); developing the ICIC’s 
strategic priorities; and establishing the long-term sustainability of the network 
via a Funding Working Group. 


Using audits to prompt change in the public sector 


We conducted 57 consensual data protection audits and follow-up audits across 
a range of sectors. The findings of these audits are published on our website?!. 


We also completed compulsory audits under Assessment Notice of seven 
political parties. These audits were conducted following our Democracy Disrupted 
report from July 2018. We provide individual audit reports to each party. We 
also completed a compulsory audit of the Crown Prosecution Service (CPS), 
which resulted in recommendations that the CPS agreed to implement. We will 
conduct follow-up audits of the CPS and the seven political parties during 
2020/21 to ensure our recommendations have been actioned appropriately. 


In addition, we conducted a data protection audit of HMRC, which incorporated a 
review of HMRC’s response to the actions mandated by an Enforcement Notice 
issued to HMRC in May 2019 (referred to earlier in the report). The audit 
concluded that the ICO was satisfied with the approach taken by HMRC to meet 
the requirements of the Enforcement Notice. Further information about this audit 
is available on our website. !? 


In terms of our responsibilities under the Investigatory Powers Act (IPA) we 
completed audits of all telecommunications operators subject to data retention 
notices requiring them to retain communications data under Part 4 of IPA. These 
audits assessed compliance with requirements of IPA for the integrity, security 
or destruction of data retained, and we provided individual reports to each 


11 https://ico.org.uk/action-weve-taken/audits-and-overview-reports/ 
1? https://ico.org.uk/action-weve-taken/audits-and-overview-reports/her-majestys- 
revenue-and-customs-hmrc/ 
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telecommunications operator. We will provide the Home Secretary with a more 
detailed report about our responsibilities in this area. 


Section 6: Delivering the ICO service experience 


This year we have seen a continued high demand for ICO services. 


Since the implementation of the GDPR and DPA 2018 in May 2018, the total 
number of contacts we've received from the public has increased by almost 
70%, the number of data protection complaints received from the public has 
doubled and the number of personal data breaches reported to us has more than 
tripled. 


This section of the report provides information about how we have worked to 
continue to provide high quality public services to all ICO customers. It is then 
followed by our operational performance annex, which provides a series of 
graphs setting out our overall activity levels and outcomes. 


Providing reliable and responsive frontline advice services 


In last year’s Annual report, we outlined a range of service-focused changes that 
would be implemented across the ICO with an overarching aim to better 
integrate and focus the way we work, so that we can provide reliable and 
responsive services to our customers. 


Part of our plan was to integrate our general advice and data protection 
complaint services for the public. We have expanded this service and ensured 
that staff have developed more detailed knowledge of FOIA and PECR, as well as 
on data protection. This will allow us to better support demand from members of 
the public who contact us seeking advice about information rights or who wish to 
raise a data protection complaint about an organisation that we regulate or both. 


Through our new Business Services function, we have begun to improve and 
better connect the ICO services that are most relevant to organisations, 
including our Business Advice, Personal Data Breach and DP Fees services. This 
will help us provide a more accessible, responsive and supportive service to this 
customer group. 


Demand for these services continues to increase and as at 31 March 2020 we 
employed over 250 members of staff who directly help customers through our 
helpline, live chat, email and complaints handling services. By restructuring our 
public advice and business advice services it is enabling us to focus on the 
specific needs of our different customers, and to develop distinct areas of 
expertise for our staff. 


We are also improving our technology. We have improved our online complaints 
form, so customers can attach supporting documents to it when they submit a 
complaint, we have developed our live chat service and made it available to 
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more customers and we are working to make paying the data protection fee 
quicker and easier. 


Next year we want to fully explore the benefits AI can bring, making our services 
more accessible, whilst enabling customers to perform more complex tasks for 
themselves. 


We established these changes in February 2020. Early indications are that the 
increases in capacity and capability means we are better able to provide reliable, 
high-quality and more responsive services to all our customers. We will monitor 
this as we continue to develop in 2020. 


Dealing with high numbers of public complaints 


Data protection 


As our lives become increasingly digital and the public’s awareness of their 
individual rights to privacy grows, the trend for making complaints to the 
Information Commissioner has increased over time. This is positive, and 
demonstrates the impact of our efforts to raise awareness of individual rights 
and shift in our position from an ombudsman to an enforcer of the law. 


Our strategic aim is to improve the quality of information rights practices across 
the private, public and third sector, ensuring that complaints and complainants 
remain the responsibility of the organisation concerned. When complaints are 
made to us, it is in effect a member of the public reporting to us that they 
believe a data controller is “breaking the law”, not the ICO providing an 
additional review or appeals process, similar to the services provided by an 
ombudsman. 


Complainants often tell us that they bring complaints to us when they do not 
have confidence in how a data controller has handled their data; and when data 
controllers fail to fully explain to complainants how they have arrived at a 
decision, understandably the public turns to the regulator. 


During 2019/20, we resolved 39,860 data protection complaints cases. 


In around half of the cases that we looked at in 2019, we found that there was 
more the data controller could have done to either improve their information 
rights practices, or explain in a more comprehensive way how they are 
complying with their legal obligations. Consequently, this year we have asked 
data controllers to revisit concerns and do more to assure themselves and 
complainants that they are complying with their obligations under the law. 


Whilst we cannot yet attribute a significant reduction in complaints being 
received to the ICO to this approach, we hope that in time, members of the 
public will see improvements in how their information rights complaints are 
handled by data controllers and that this improved experience will result in a 
fewer complaints being received. As a result of this approach, we have seen 
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evidence of compensation being awarded to complainants, complaints processes 
being overhauled, and good engagement across the vast majority of sectors. 


As part of the data protection complaints process, we have also this year 
routinely provided information and advice to data controllers so that they can 
improve their practices. We have monitored performance when we have 
identified trends or multiple complaints received about a data controller, and 
where compliance has been consistently poor, or we have identified a serious 
breach, we have taken steps to enforce compliance, in line with the ICO’s 
Regulatory Action Policy. 


Freedom of information 


This year we dealt with 6,421 FOI complaints, up 128 cases on the number of 
cases closed in 2019/20. 


Over the last 12 months, our focus has been to continue to strengthen and build 
on the efficiencies and service improvements made last year and to further 
reduce both the volume and age profile of cases. 


A new digital portal for the complaint submission process has allowed customers 
to clearly see what documentation is required before a matter can be progressed 
and will further assist in reducing the number of complaints that are lodged too 
early. 


We have also made several changes and improvements in our case handling 
process, updating our case handling service guide and introducing an early 
resolution mechanism to bring down caseload age. 


We have highlighted significant freedom of information decision notices on the 
ICO’s social media platforms, using #everydayfoi to promote information access 
as an everyday right. We also began publishing information notices on our 
website??, demonstrating to the public the action we are prepared to take to 
investigate their complaints. 


13 https://ico.org.uk/action-weve-taken/information-notices/ 
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Annex: Operational performance 


Data protection complaints 


Last year, we reported on the significant increase in data protection complaints 
we received as the public became more familiar with their information rights and 
the implications and obligations that come with the GDPR. This level of 
engagement held steady in 2019/20. We received 38,514 data protection 
complaints, slightly lower than the 41,661 from last year. 


We closed 39,860 cases (up from 34,684 in 2018/19), reducing our caseload 
from 9,503 in March 2019 down to 7,987 in March 2020. We increased the 
number of operational casework staff and redeployed some of our existing 
resources to achieve this. 


Given that we started the year with a caseload of 9,503, we knew that achieving 
our timeliness targets in 2019/20 would be a significant challenge. We therefore 
focused on key areas that would help streamline our service, improve the 
‘customer experience’ through better self-help digital tools and reduce the 
number of complaints sent to us too early. 


Whilst we have closed a record 39,860 cases and have reduced our caseload to a 
more manageable 7,987; we unfortunately have not been able to meet our 
target of 80% of cases being resolved within 12 weeks, achieving 74% for 
2019/20. We have however been able to resolve over 98% of complaints within 
our six-month timeliness target. 


For 2020/21 our aim is to reduce our caseload further, bringing this below 7,000 
and maintaining this where we can. By multi-skilling our Public Advice and Data 

Protection Complaints teams, we will have the flexibility to deploy our resources 
were necessary to achieve our 12 week casework timeliness target, whilst at the 
same time providing a more responsive service to the public who contact us via 

telephone, live chat or email. 


Freedom of information complaints 


This year we received 6,367 Freedom of information complaint cases, compared 
to 6,418 in 2018/19. 


Despite these ongoing high case volumes, we have been able to keep pace, 
closing 6,421 cases during the year, an increase from last year’s figure of 6,293. 
This means that in 2019/20 we exceeded our FOI timeliness target (to close 
80% FOI complaints within six months), by closing 88% of complaints within six 
months. 


We issued 1,446 statutory decision notices this year. Each party to a decision 
notice has the right to appeal the decision to the First-tier Tribunal (Information 
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Rights). There has been an increase in the number of decision notices being 
appealed, from 17% in 2018/19 (246) to 22% in 2019/2020 (311). 


However, whilst there has been an increase in appeals to the First-tier Tribunal, 
77% of appeals have been successfully defended during 2019/20, the same 
success rate as 2018/19. 


Advice services 


Following a busy GDPR implementation year in 2018/19, volumes of enquiries 
from organisations and members of the public have remained high. Our answer 
rates on our helpline and written advice services have improved, showing that 
we are well-placed to meet this level of demand for our service. 


Although there has been a drop in our live chat answer rate, this reflects a 
change to the way we provide the service. In 2019/20 we implemented a new 
live chat platform which allowed customers to queue to chat. Although this 
meant some customers waited longer to chat than before, it also significantly 
increased the amount of people who have been able to use this service. 
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Data protection complaints 


DP complaint casework received 


2019/20 


2018/19 


2017/18 


DP complaint casework finished 


2018/19 34,684 


2017/18 


Caseload 


31/03/2019 9,503 
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Age distribution of caseload 
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Age distribution of finished casework 


2019/20 9879 
ME 18675 
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2018/19 6392 
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Outcomes 2019/20 


No Infringement 24.9% 


Concern to be raised with DC 23.1% 


16.6% 


No Infringement - advice given 


Infringement- with steps required 15.0% 


Infringement - with Advice Given 10.2% 


Response needed from DC 6.1% 


Not GDPR 2.9% 


Case Referred through IMI System 1.1% 


Casework finished with the following outcomes - administrative fine, no 


order made, compliance audit recommended and enforcement notice 
served represented 0.1% of the total. 
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Sectors generating most complaints 
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Freedom of information complaints 
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Age distribution of caseload % 
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Outcomes 2018/19 


Complaint made too early (no internal review) 


Decision notice served 


Ineligible complaint 


Informally resolved 


Complaint not progressed 


Outcome of a complaint casework where a decision notice is 
served 


Total served 


Upheld 


Not upheld 


Partially upheld 


2019/20 m2018/19 2017/18 


59 


Annual report 2019/20 | Performance report 


Sectors and reasons generating most complaints 


Local government 42% 
41% 
Central government 18% 
15% 
Police & criminal justice 14% 
17% 
Health 11% 
10% 
Education 6% 
9% 


Private companies 4 1% 


47% 


2019/20 m2018/19 2017/18 


Freedom of Information appeals 


Received 
2019/20 311 
2018/19 246 
2017/18 284 
Finished 


2019/20 


2018/19 


2017/18 
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Caseload 
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Advice Services 


Calls to the helpline 


395,197 
2019/20 
340,350 


411,656 
2018/19 
266,889 


235,672 
2017/18 


188,180 


m Calls received mCalls answered 


Call answer rates - Average wait time (seconds) 


2019/20 157 


2018/19 391 


2017/18 203 


Call answer rates - Percentage answered 


2019/20 86% 


2018/19 65% 


2017/18 80% 
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Live Chat 


2019/20 


2018/19 


2017/18 


m Chats answered  WChats requested 


Chat answer rates - Percentage answered 
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2018/19 


2017/18 


Chat answer rates - Average wait time (seconds) 
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Written advice - Received 


2019/20 


2018/19 


2017/18 


Written advice - Finished 


2019/20 22,469 
2018/19 28,258 


Written advice - Caseload 
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31/03/2019 


31/03/2020 l 131 
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Age distribution of finished advice work 
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Personal Data Breaches - Finished 


2018/19 12,385 
2017/18 3,172 


Personal Data Breaches - Outcomes 
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PECR concerns 
PECR Concerns - Concerns reported 
2019/20 
2018/19 
2017/18 
PECR Concerns - Cookie concerns reported 
2017/18 E 147 
Nature of telesales and SPAM texts reported 
51,964 
Telesales call where I heard a recorded voice 40,991 
4,798 
50,647 


Telesales call where I spoke to a person 52,309 
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SPAM texts —- 
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Information Access 


Information Access - Requests received 
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2018/19 


2017/18 


Information Access - Requests completed 
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2018/19 
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Information Access - Requests by legislation 
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Response times - Time for compliance 
2019/20 


2018/19 94% 


Response times - Average time (days) 
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2018/19 


2017/18 
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Request outcomes 


872 
Information provided in full 706 
498 
750 
Information partially provided 693 
508 
306 
Information witheld DEM 473 
259 
289 
Information not held 236 
121 
110 
Futher clarification needed p- 83 
47 
40 
Misguided request E 80 

39 
21 
Withdrawn 11 
13 


2019/20 m2018/19 m2017/18 


Internal reviews - Reviews completed 


2019/20 101 


Note: During 2019/20, 4% of the requests we completed led to a request for internal review. 
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Internal reviews - Response times 
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Financial performance summary 


Grant-in-aid 


Freedom of information expenditure continued to be funded by grant-in-aid. In 
addition, our work on Network and Information Systems (NIS) was funded by 
grant-in-aid. The total grant-in-aid available for 2019/20 was £6.3m (2018/19: 
£4.3m). 


No grant-in-aid was carried forward in 2019/20 (2018/19: nil). 


Fees 


Under the DPA 2018, data protection related work continues to be financed by 
fees collected from data controllers. The annual fee structure is: 


e £40 for charities or organisations with no more than 10 members of staff 
or a maximum turnover of £632,000; 


e £60 for organisations with no more than 250 members of staff or a 
maximum turnover of £36m; and 


e £2,900 for all other organisations. 


A £5 discount was given to all fees which were paid by direct debit. 


Fees collected in the year totalled £48.712m (2018/19: £39.256m), a 24% 
increase on the previous year. We achieved this by writing to companies 
registered with Companies House who had not registered with the ICO. This 
campaign took place during the latter half of 2019/20, during which time we 
wrote to around 1m companies. We paused this work following the outbreak of 
COVID-19 in the UK, given the economic impact and level of uncertainty this 
caused. We expect to resume this work during 2020/21. 


It is important to stress that an increase in the number of organisations paying 
the fee is not so that we have unlimited funding. We will continue to resource 
ourselves according to our goals. If the income from fees consistently outstrips 
our needs, it will bring the potential to reduce the fee for all organisations, 
reducing the burden for every organisation, but ensuring that burden is shared 
equally. 


As at 31 March 2020, 738,769 data controllers were registered to pay the data 
protection fee, an increase of 139,202 from 31 March 2019 (599,567). 


Annual expenditure 


The total comprehensive expenditure for the year was £5.046m (2018/19: 
£3.336m). 
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Financial instruments 


Details of our approach and exposure to financial risk are set out in note 9 to the 
financial statements. 
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Sustainability 


Overall strategy 


Our carbon footprint is generated primarily from heating and lighting ICO 
accommodation, powering our IT infrastructure and from business travel. We 
make as full a use of technology as possible to reduce electricity and gas 
consumption; for example by purchasing low energy use IT, fitting new more 
efficient boilers and installing motion detecting lights. 


We also aim to ensure appropriate and proportionate communications tools are 
in place so that we can engage with stakeholders through relevant channels. As 
a growing organisation there are increasing business travel demands, but, where 
appropriate, we seek to communicate electronically rather than travel for face- 
to-face meetings. As an organisation the ICO reviews the need for all 
international travel and whether there are suitable alternative ways to fulfil 
these commitments using technology. 


Performance 


Throughout 2019/20, preparations for the UK’s exit from the European Union 
ramped up. This has required our staff to travel with increased frequency to 
Brussels for EU meetings. We have also increased our travel beyond the EU, to 
develop strong bilateral relationships throughout the world. In addition to 
promoting excellent personal data practices, these relationships will be of vital 
assistance to the UK in creating new trade deals in the post-EU exit period, as 
data has no borders. Data protection will be a key consideration to those trade 
deals. 


In 2018/19 we had the implementation of the GDPR in May 2018 so there was 
considerable stakeholder engagement at the start of 2018/19. This led to high 
levels of business travel. This slightly reduced in 2019/20 leading to a reduction 
in emissions due to travel. 


Our use of gas decreased significantly during 2019/20. This was due to 

efficiencies and a mild winter. During the year we reduced the amount of water 
in flushing toilets and the timings of auto flushing in urinals. We also witnessed 
more staff working from home due to the increased flexibility of having laptops. 


2019/20 saw continued expansion for the ICO and we expanded the footprint of 
our main Wilmslow accommodation to keep pace with the increasing size of our 
workforce. This has led to an increase use of electricity and subsequent increase 
in emissions. 


Biodiversity action planning 
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The ICO is not responsible for any outside space and therefore does not have a 


biodiversity plan. 


Sustainable procurement 


We ask those tendering for contracts to provide their sustainability statements 


and policies as standard in most procurement exercises. 


Greenhouse gas emissions 


Total tonnes CO; 
2016/17 2017/18 
Scope 1 (gas) 7 6 
Scope 2 (electricity) 123 172 
Scope 3 (travel) 86 127 
Total emissions 217* 306* 


Tonnes CO: per full time equivalent staffing 


2016/17 2017/18 


Scope 1 (gas) 0.02 0.01 
Scope 2 (electricity) 0.30 0.33 
Scope 3 (travel) 0.21 0.25 
Total 0.53 0.59 


*Not a direct sum due to rounding. 


2018/19 


36 
160 
202 
398 


2018/19 


0.06 
0.26 
0.33 
0.66* 


2019/20 


17 
275 
182 
474 


2019/20 


0.02 
0.37 
0.24 
0.63 


Waste minimisation and management and finite resource 


consumption 


Total waste, water and paper consumption 


2016/17 2017/18 
Waste / tonnes 16 37 


Water consumption / m3 2,382 5,963 
A4 paper / reams 4,000 4,300 


2018/19 


35 
3,983 
4,280 


2019/20 


36 
3,182 
4,544 
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Waste, water and paper consumption per full time equivalent 


staffing 
2016/17 
Waste / tonnes 0.04 
Water consumption / m? 5.82 
A4 paper / reams 9.78 


Details of ICO performance 


Total travel 

2016/17 
Cars 
Kms 37,264 
Cost £ 8,195 
Tonnes CO2 7 
Rail 
Kms 615,052 
Cost £ 184,443 
Tonnes CO2 28 
Flights 
Number 254 
Kms 327,356 
Cost £ 56,614 
Tonnes CO2 52 
Travel summary 
Cost £ 249,252 
Tonnes CO2 86 


2017/18 


0.07 
11.61 
8.37 


2017/18 


40,216 
11,023 
8 


820,202 
259,483 
37. 


515 
523,413 
103,127 

82 


373,633 
127 


2018/19 


0.06 
6.57 
7.06 


2018/19 


57,336 
14,699 
11 


1,120,361 
404,552 
51 


1,060 
889,525 
202,847 

140 


622,098 
202 


2019/20 


0.05 
4.23 
6.03 


2019/20 


43,656 
11,506 
8 


1,133,971 
341,668 
51 


734 
781,541 
151,422 

123 


504,596 
182 
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Travel per full time equivalent staffing 


Cars 
Kms 
Cost £ 


Tonnes CO2 


Rail 
Kms 
Cost £ 


Tonnes CO; 


Flights 
Number 
Kms 
Cost £ 


Tonnes CO2 


Travel summary 
Cost £ 


Tonnes CO; 


2016/17 


91.11 
20.04 
0.02 


1,504 
450.96 
0.07 


0.62 
800.38 
138.42 

0.13 


609.42 
0.21 


2017/16 


78.27 
21.45 
0.01 


1,596 
505.03 
0.07 


1.00 
1,018.71 
200.71 
0.16 


727.20 
0.25 


2018/19 


94.61 
24.26 
0.02 


1,848 
667.58 
0.08 


1.75 
1,467.53 
334.73 
0.23 


1,026.56 
0.33 


2019/20 


57.98 
15.28 
0.01 


1,505.94 
453.74 
0.07 


0.97 
1,037.90 
201.09 
0.16 


670.11 
0.24 
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Total utilities 


Gas 
Kwh 
Cost £ 


Tonnes CO2 


Electricity 
Kwh 
Cost £ 


Tonnes CO; 


Utility summary 
Cost £ 


Tonnes CO; 


2016/17 


246,219 
50,238 
123 


51,844 
130 


2017/18 


343,910 
65,122 
172 


66,671 
178 


2018/19 


195,575 
6,281 
36 


319,151 
51,995 
160 


58,276 
196 


2019/20 


94,989 
4,151 
17 


551,804 
95,410 
275 


99,561 
292 
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Utilities per full time equivalent staffing 


Gas 
Kwh 
Cost £ 


Tonnes CO2 


Electricity 
Kwh 
Cost £ 


Tonnes CO; 


Utility summary 
Cost £ 


Tonnes CO; 


2016/17 


91.29 
3,93 
0.02 


602 
122.83 
0.30 


126.76 
0.32 


2017/18 


67.17 
3.01 
0.01 


669 
126.75 
0.33 


129.76 
0.35 


2018/19 


322.73 
10.36 
0.06 


527 
85.80 
0.26 


96.17 
0.32 


2019/20 


126.15 
5.51 
0.02 


732,81 
126.71 
0.37 


132.22 
0.39 
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Whistleblowing disclosures 


The ICO is a ‘prescribed person’ under the Public Interest Disclosure Act 1998, 
meaning that whistleblowers are provided with protection when disclosing 
certain information to us. 


The Prescribed Persons (Reports on Disclosures of Information) Regulations 
2017 require prescribed persons to report annually on whistleblowing disclosures 
made to them. 


The number of whistleblowing disclosures made to us during the period 1 April 
2019 to 31 March 2020 was 427. All information provided was recorded and 
used to develop our overall intelligence picture, in line with our Information 
Rights Strategic Plan 2017-2021. 


Further action was taken on 68 of these disclosures. This may result in referral 
to appropriate departments for further consideration, referral to external 
organisations (including other regulators and law enforcement) or consideration 
for use of our enforcement powers. After review and assessment 359 of the 427 
disclosures resulted in no further action taken at that time. 


During the period 1 April 2019 to 31 March 2020 further action on the 68 
disclosures resulted in 73 referrals to various departments (three disclosures 
resulted in referrals to two departments; one disclosure resulted in referral to 
three departments). 


The outcomes of these referrals: 


e 23 disclosures were taken into consideration for the investigations. 

e Eight disclosures were referred back to Advice Services and the PDB Team 
including providing advice to the whistleblower and where it would be more 
appropriate for the matter to be raised as a complaint. 

e 21 disclosures were considered for non-payment of the data protection fee. 

e 12 disclosures were referred to other departments for various actions. 

e Three disclosures were considered for tactical and strategic assessment. 

e Two disclosures being considered for policy advice. 

e Four disclosures resulted in no outcome, but were logged for intelligence 
purposes only. 

After receipt of a concern we will decide how to respond in line with our 
Regulatory Action Policy. In all cases, we will look at the information provided by 
whistleblowers alongside other relevant information we hold. For example, if an 
organisation reports a breach to us we may use information provided by a 
whistleblower to focus our follow-up enquiries. More broadly, we may use 
information from whistleblowers to focus our liaison and policy development 
within a sector, using the information to identify a particular risk or concern. 
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Going concern 


The accounts are prepared on a going concern basis as a non-trading entity 
continuing to provide statutory public sector services. 


Grant in aid has already been included in the DCMS's estimate for 2020/21 and 
the DPA 2018 allows the ICO to fund data protection related work through fees 
paid by data controllers. The DPA 2018 is UK law and will continue to be apply 
after the UK’s exit from the EU. 


There is no reason to believe that future sponsorship and parliamentary approval 
will not be forthcoming. 


The ICO has budgeted income of £61m for the year 2020/21 which has been 
restated to account for the potential impact of Covid-19. In light of the impact of 
Covid-19 on the UK economy, we have reviewed the mechanism by which the 
ICO is funded and assessed what the impact on our funding might be. The 
budget set has taken into account the risks over potential fee income and 
restated accordingly along with a similarly review of costs. The ICO continues to 
review the budget and risks within it with DCMS. It is therefore appropriate to 
adopt a going concern basis for the preparation of these financial statements. 


xA 


Elizabeth Denham 
7 July 2020 
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Directors’ report 


Directorships and other significant interests held by Board 
members that may conflict with their management 
responsibilities 


Membership of the ICO’s Management Board, along with further information, is 
detailed in the Governance statement. 


A register of interests is maintained for the Information Commissioner and her 
Management Board. It is published on the our website at ico.org.uk. Declarations 
of interest in any of the items considered at a particular meeting are also asked 
for at Management Board and Audit Committee meetings. 


Employee involvement and wellbeing 


The ICO is a growing organisation, committed to being the best employer we can 
be. As part of our People Strategy, we are aiming to build on our positive culture 
as a smaller organisation, where caring and supporting others is valued and the 
ICO is a good corporate citizen. 


The ICO has a policy of co-operation and consultation with recognised trade 
unions over matters affecting staff. Senior managers meet regularly with trade 
unions to discuss issues of interest, and staff involvement in the work of the 
office is actively encouraged as part of the day-to-day process of line 
management. Our people strategy has three values: ambitious; service-focused; 
and collaborative. 


We continue to implement the actions within the People Strategy and continue to 
further embed the values. We have launched the new Wellbeing policy which is 
at the centre of staff wellbeing. 


With the impact of COVID-19 we have put staff wellbeing at the heart of our 
business continuity. We are ensuring that all our staff are fully supported during 
this period and we are providing wellbeing updates on a weekly basis. 


Equal opportunities and diversity 


We put equality, diversity and inclusion at the heart of everything we do, and as 
part of this we have four equality, diversity and inclusion objectives defined as 
follows: 


e Spreading knowledge and taking action 
We will raise awareness of information rights across the community and 
take action to ensure that organisations fulfil their obligations. We will 
particularly focus on groups and sectors where knowledge gaps may cause 
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information rights inequalities or vulnerabilities. We will ensure that our 
actions as a regulator do not create inequalities or unlawfully discriminate. 


e Accessible services 
Our services and information will be accessible for users and potential 
users of our services, and we will provide our staff with the skills and 
knowledge they need to provide high quality services for all. We will try to 
anticipate customer needs and we will take action to remove barriers to 
our services when possible. 


e Encouraging others 
We will use our status as a regulator, advisory body and purchaser of 
services to influence improvements in equality by other organisations and 
across society. 


e Employer 
Our workplaces and practices will be accessible, flexible, fair and inclusive. 
We will value the diversity, skills, backgrounds and experience of our 
people, enabling them to perform to their best in a welcoming and 
supportive environment. 


These objectives aim to ensure that the ICO is an inclusive, accessible and 
diverse regulator, service provider and employer. This will help all members of 
society to have awareness of, and access to, their information rights and receive 
appropriate protection if their rights are infringed. 


Our Equality, Diversity and Inclusion (EDI) Forum oversees our efforts to provide 
an increasingly accessible service for our customers and workplace for our staff. 
In 2019 we undertook a review of the role of this Forum, to ensure that, with the 
increased size of the organisation, we have continued capacity and focus to 
embed equality, diversity and inclusion into the core of how we operate. 


In 2019 we also saw the creation of five new EDI staff networks focusing on 
various equality, diversity and inclusion areas: 


e Women and Allies focused on gender equality, this network aims to 
encourage, empower and support women in their careers at the ICO and 
beyond. 


e Healthy minds focused on the importance of good mental health, this 
network aims to raise awareness and challenge the perceived social stigma 
linked to mental and emotional health issues, including stress, depression 
and anxiety. 

e REACH, this abbreviation stands for Race, Ethnicity, and Cultural Heritage, 
with this network focused on raising awareness of issues of race, ethnicity 
and cultural heritage at the ICO and in the wider community and 
celebrating diversity. 
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e Pride focused on supporting LGBTQ+ colleagues, raising awareness and 
celebrating diversity, this network aims to promote a safe, inclusive and 
diverse working environment that encourages respect and equality for all. 

e Network for Access and Inclusion focused on improving the experience 
of disabled staff and customers at the ICO, this network promotes positive 
attitudes towards disabled people and raises awareness of disability 
equality by identifying and removing barriers to inclusion. 


We provide our staff with a work environment and IT systems which help meet a 
range of needs; including accessible offices and IT systems, flexible and part- 
time working (to help work-life balance). This has resulted in all ICO staff 
members being provided with a new device which enables them to work from 
any location in a secure and agile way. This has allowed staff to work in the way 
which best suits them, and has been particularly important in our response to 
the COVID-19 pandemic, as it allowed us to smoothly transition to remote 
working. 


We aim to recruit from a range of backgrounds and take the applicant- 
anonymous approach when assessing candidates for employment. 


The community 


For the last three years, ICO staff have supported Dementia UK as our corporate 
charity. 


Personal data incidents 


There have been no substantive security incidents during 2019/20. 


Public sector information holders 


The ICO has complied with the cost allocation and charging requirements set out 
in HM Treasury guidance. 


Pension liabilities 


Details on the treatment of pension liabilities are set out in note 3 to the 
financial statements. 


Annual accounts and audit 


The annual accounts have been prepared in a form directed by the Secretary of 
State with the consent of the Treasury in accordance with paragraph 11(4) of 
Schedule 12 to the DPA 2018. 


Under paragraph 11(3) of Schedule 12 to the DPA 2018 the Comptroller and 
Auditor General was appointed auditor to the Information Commissioner. The 
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cost of audit services for this year was £31.5k (2018/19: £30k). No other 
assurance or advisory services were provided. 


So far as the Accounting Officer is aware, the Comptroller and Auditor General is 
aware of all relevant audit information, and the Accounting Officer has taken all 
the steps that she ought to have taken to make herself aware of relevant audit 
information and to establish that the Comptroller and Auditor General is aware of 
that information. 


Directors’ statement 


The ICO’s leadership team consists of the Commissioner, Executive Directors 
and Non-Executive Directors. Each of these persons at the time this report is 
approved: 


a) so far as they are aware there is no relevant audit information of which 
the auditor is unaware; and 

b) they have taken all the steps they ought to have taken in their role in 
order to make themselves aware of any relevant audit information and to 
establish that the auditor is aware of that information. 
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Statement of the Information 
Commissioner’s responsibilities 


Under paragraph 11(4) of Schedule 12 to the DPA 2018 the Secretary of State 
directed the Information Commissioner to prepare for each financial year a 
statement of accounts in the form and on the basis set out in the Accounts 
Direction. The accounts are prepared on an accruals basis and must give a true 
and fair view of the state of affairs of the Information Commissioner’s Office at 
the year end and of the income and expenditure, recognised gains and losses 
and cash flows for the financial year. 


In preparing the accounts, the Information Commissioner is required to comply 
with the requirements of the Government Financial Reporting Manual (FReM) 
and in particular to: 


e observe the Accounts Direction issued by the Secretary of State with the 
approval of the Treasury, including the relevant accounting and disclosure 
requirements, and apply suitable accounting policies on a consistent basis; 


e make judgements and estimates on a reasonable basis; 


e state whether applicable accounting standards as set out in the FReM have 
been followed, and disclose and explain any material departures in the 
financial statements; and 


e prepare the financial statements on the going concern basis, unless it is 
inappropriate to presume that the Information Commissioner's Office will 
continue in operation. 


The Accounting Officer of the Department for Culture, Media and Sport (DCMS) 
has designated the Information Commissioner as Accounting Officer for her 
Office. The responsibilities of an Accounting Officer, including responsibility for 
the propriety and regularity of the public finances and for keeping of proper 
records and for safeguarding the Information Commissioner's assets, are set out 
in the Non-Departmental Public Bodies' Accounting Officer Memorandum, issued 
by the Treasury and published in Managing Public Money. 


The Accounting Officer confirms that, as far as she is aware, the entity's auditors 
are aware of all relevant audit information, and the Accounting Officer has taken 
all the steps that she ought to have taken to make herself aware of any relevant 
audit information and to establish that the entity's auditors are aware of that 
information. 


The Accounting Officer confirms that the Annual report and Accounts as a whole 
is fair, balanced and understandable and that she takes personal responsibility 
for the Annual report and Accounts and the judgments required for determining 
that it is fair, balanced and understandable. 
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Governance statement 


Introduction 


The Information Commissioner is a corporation sole as established under the 
DPA 1998 and as confirmed under the DPA 2018. Under the terms of the EU 
Data Protection Directive and the GDPR, the Information Commissioner and her 
Office must be completely independent of Government. The Information 
Commissioner is accountable to Parliament for the exercise of statutory functions 
and the independence of the ICO is enshrined in legislation. Although the GDPR 
is EU legislation, it continues to have an effect in the UK until the end of the EU 
Exit Implementation Period. 


Relationship with the DCMS 


The DCMS is the sponsoring department for the ICO. The relationship with the 
department is governed by a Management Agreement. The Management 
Agreement for 2018-2021 was agreed in July 2018. This agreement sets out our 
shared responsibilities and the commitment to ensuring the independence of the 
Information Commissioner and the ICO. The agreement also ensures that 
appropriate reporting arrangements are in place to enable the DCMS to monitor 
the expenditure of public money allocated to the ICO. 


The agreement also confirms that the ICO has been granted pay flexibility up to 
2020-21. This ensures that we have the flexibility to determine the levels of pay 
necessary for the ICO to maintain the expertise the office needs to fulfil its 
functions. Following this period, the ICO will revert to being subject to standard 
public sector pay policy guidelines (unless otherwise negotiated). 


Management Board 


The Information Commissioner continues to be a corporation sole, with 
responsibility to Parliament. However, the Information Commissioner has 
delegated her powers and the day-to-day running of the organisation to the 
Management Board, comprising Non-Executive and Executive Directors. The 
Information Commissioner is the Chair of the Management Board. 


In 2019/20 the Board’s Terms of Reference were reviewed as part of a joint 
programme of work with DCMS to ensure the ICO’s governance structures reflect 
the changes in the role and size of the organisation, whilst taking account of the 
existing statutory requirements. These changes enable robust and agile decision 
making, clear accountability, value for money, continuity in leadership and 
strategic capacity as well as delivering performance and ambition. 


The revised Terms of Reference identify five main areas of focus for the Board: 
the position, culture, capability, perception and performance of the organisation. 
The Board provides strategic direction to ensure the long-term objectives for the 
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organisation are met successfully and sustainably. It operates collectively, 
holding the Executive to account for the leadership and regulatory outcomes of 
the ICO. It is responsible for developing strategy, monitoring progress in 
implementing strategy, providing corporate governance and assurance and for 
managing corporate risks. 


The Board is based on majority decision-making principles. As the Information 
Commissioner is a corporation sole, she retains the right to veto a decision of 
the Management Board and take another course of action, where she deems 
necessary. There were no such instances during 2019/20. 


The Board comprises of Executive and Non-Executive Directors. During 2019/20, 
there were five Executive Directors and five Non-Executive Directors. However, 
during 2019/20, the Board agreed to appoint two further Executive Directors and 
to increase the number of Non-Executive Directors such that Non-Executive 
Directors outnumber the Executive Directors. These changes will be 
implemented during 2020/21. Non-Executive Directors will be appointed by a 
panel chaired by the Information Commissioner and including a representative 
from the ICO’s Government Sponsor Department. 


The Board has agreed to appoint a Senior Independent Director, designated by 
the Commissioner from amongst the Non-Executive Directors. This Director will 
be responsible for chairing Board meetings in the absence of the Information 
Commissioner and for representing the views of the Non-Executive Directors. 
One of the existing Non-Executive Directors will be appointed to this role during 
2020/21. 


There are two senior Executive Directors who will be designated by the 
Commissioner from amongst the Executive Directors. One, designated as Chief 
Operating Officer, will be responsible for the ICO's day-to-day leadership, 
performance and administration, including being delegated Accounting Officer 
responsibilities as far as possible. The other, designated as the Chief Regulatory 
Officer, will be responsible for the ICO's regulatory decisions and outcomes. 
These executive members will be designated during 2020/21. These changes 
allow the Information Commissioner to focus on the key strategic relationships 
with senior politicians, officials and regulators affecting the landscape in which 
the ICO operates at national and international level, as well as setting the 
strategy and vision for the office. 


The Board meets a minimum of four times annually (six meetings a year are 
scheduled and took place during 2019/20) and considers risk management and 
operational, financial, organisational and corporate issues. It also receives 
reports from the Audit Committee and Executive Team as appropriate. 


In the course of 2019/20 the following changes were made to Board 
membership: 
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e Peter Hustinx joined the Board on 1 April 2019 as a Non-Executive 


Director. 


e Simon McDougall, Executive Director (Technology and Innovation), had his 
contract extended. Simon was originally appointed on 1 October 2018 ona 
two-year contract. This has been extended to July 2021. 


In addition to the changes set out above, one further change took place to the 
Board during early 2020/21. On 14 April 2020, James Moss joined Executive 
Team as acting General Legal Counsel. He joins Board meetings as an attendee, 
rather than as a full member. A structure chart is provided below to illustrate the 
current senior management structure. 


Elizabeth Denham 


Information Commissioner 


James Dipple Johnstone 


Deputy Commissioner (Executive 
Director - Regulatory Supervision 
Service) 


Paul Arnold 


Deputy Chief Executive Officer 
(Executive Director - Corporate 
Strategy and Planning Service) 


Steve Wood 


Deputy Commissioner (Executive 
Director-Regulatory Strategy Service) 


Simon McDougall 


Executive Director - Technology and 
Innovation 


James Moss 


Acting General Legal Counsel 


The table below details attendance at the Management Board meetings during 


the year. 


Dates 


Elizabeth 
Denham 


Paul Arnold 


7 May 
2019 


Yes 


Yes 


5 August 
2019 


Yes 


Yes 


8 November 24 January 16 March 


2019 2020 2020 
Yes Yes Yes 
Yes Yes Yes 
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Ailsa Beaton Yes Yes Yes Yes Yes 
David Cooke Yes Yes Yes Yes Yes 
en Yes Yes Yes Yes Yes 
Peter Hustinx Yes Yes Yes Yes 
Jane McCall Yes Yes Yes Yes 
Simon McDougall Yes Yes Yes Yes Yes 
Nicola Wood Yes Yes Yes Yes Yes 
Steve Wood Yes Yes Yes Yes 


Audit Committee 


The Audit Committee meets quarterly and provides a structured, systematic 
oversight of the ICO's governance, risk management, and internal control 
practices. The Committee assists the Board and management team by providing 
independent advice and guidance on the adequacy and effectiveness of the 
organisation's management practices detailed below, including any potential 
improvements to these practices: 


e governance structure; 
e risk management; 
e internal control framework; 


e Oversight of the internal audit activity, external auditors, and other 
providers of assurance; and 


e finance statements and public accountability reporting. 
The Committee is chaired by Ailsa Beaton as a Non-Executive Director. Jane 


McCall is the other Non-Executive Director and Roger Barlow is the independent 
member. 


The table below shows attendance of Audit Committee members at the meetings 
during the year. 


Dates 29 April 2019 20 June 2019 28 October 2019 20 January 2020 
Ailsa Beaton Yes Yes Yes Yes 
Roger Yes Yes Yes 

Barlow 

Jane McCall Yes Yes Yes Yes 


The Information Commissioner has attended all meetings of the Audit 
Committee during this period. Both external and internal auditors attend the 
Audit Committee and have pre-meetings with Committee members before each 
meeting. 


The Audit Committee publishes its own Annual report. Each annual report, 
including the 2019/20 report, is available on the ICO website (ico.org.uk). The 
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report states that the Committee is satisfied with the quality of internal and 
external audit and believes that it is able to take a measured and diligent view of 
the quality of the systems of reporting and control within the ICO. 


The Chair of the Audit Committee attends regular meetings of the Chairs of the 
Audit and Risk Committees of DCMS arms-length bodies. These meetings include 
discussions with senior DCMS staff and the Comptroller and Auditor General, and 
provide opportunities to share issues of interest. 


The Audit Committee receives a quarterly report on incidents of fraud, security 
breaches and whistleblowing incidents as assurance that the reporting 
mechanisms are in place and are effective. 


Executive Team 


The Executive Team provides day-to-day leadership for the ICO and as such is 
responsible for developing and delivering against the Information Rights 
Strategic Plan. During 2019/20, the team consisted of the Information 
Commissioner, two Deputy Commissioners, Deputy Chief Executive Officer and 
Executive Director (Technology and Innovation). As set out above, in early 
2020/21, the Executive Team was supplemented by an acting General Legal 
Counsel. 


The Executive Team is supported in its role by the Senior Leadership Team. This 
team consists of 14 directors across the organisation. 


Board effectiveness 


The Management Board has considered its compliance with the Corporate 
governance in central government departments: Code of good practice 2017. 
The ICO does not adopt all aspects of the Code, but the Board considers that 
there are good reasons for this given the nature of the organisation as a 
corporation sole. In particular: 


e the Board does not have the powers and duties of a Board in which is 
vested the ultimate authority of the organisation. This is because the 
Information Commissioner is a corporation sole. However, in line with the 
scale and complexity of the ICO's role and remit, in August 2019 the 
Commissioner formally delegated responsibility through the ICO's 
Management Agreement with its Government sponsor department (and the 
Management Board Terms of Reference) for the strategic leadership of the 
ICO to the Management Board, of which the Information Commissioner is 
the Chair. The Board operates based on collective decision-making 
principles and a 'majority vote' in circumstances where a consensus view 
cannot be reached. The Commissioner, as a Corporation Sole, will always 
have the right to set a course of action that is contrary to the majority 
view of the Board. There have been no such instances in 2019/20; 
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e the Board did not have a senior independent director for part of the year, 
but in August 2019 agreed that one should be appointed by the 
Commissioner. This appointment will take place during 2020/21; 

e Non-Executive Directors do not have a specific section in the ICO’s Annual 
Report, but this is not currently considered necessary; 

e although the ICO has a Remuneration Advisory Panel to advise the 
Information Commissioner on remuneration policies related to Executive 
Team pay, as a corporation sole, the Information Commissioner retains 
ultimate authority in this area; and 

e in respect of an operating framework, the Board operates within the 
overall system of corporate governance at the ICO. 


The Board has reviewed the information it receives and is satisfied with its 
quality. The Board is also satisfied that it is, itself, operating effectively. 


Issues and highlights 


The ICO’s corporate governance structure has considered various issues of 
substance during the course of the year. These include: 


e progress towards achieving the ICO’s Information Rights Strategic Plan 
2017-2021 and the strategies which directly support this, including the 
Resource and Infrastructure Strategic Plan; 


e development of key performance measures; 

e reviewing the governance structure; 

e risk management policy and risk appetite; 

e preparation for the UK’s exit from the EU and the period after the UK’s exit 
from the EU; 

e development of the Age Appropriate Design Code; 

e updates on the ICO’s priority investigations; 

e organisational planning matters, including accommodation, recruitment, 
retention and staff pay, during a period of expansion; and 

e the ICO’s response to the COVID-19 pandemic. 


Risk assessment 


Risks and opportunities are regularly reviewed by senior managers. All risks and 
opportunities are reviewed at least quarterly by Service Delivery Groups; more 
strategic risks and opportunities are discussed on a monthly basis by Senior 
Leadership Team; and all of the highest scoring risk risks are subject to bi- 
monthly review by Executive Team. The Management Board and Audit 
Committee also consider these highest scoring risks and opportunities at each 
meeting. 
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In October 2019 the Audit Committee conducted a full review of all of the ICO’s 
risks and opportunities. In January 2020, the Audit Committee and Management 
Board approved a new risk management policy and risk appetite statement. The 
Committee does this on an annual basis. All activities within Directorate business 
plans are directly linked to risks or opportunities, which has ensured that they 
are considered even more regularly, along with clearly identifying actions to 
mitigate risks or exploit opportunities. 


The main new risks and opportunities identified during 2019/20 were: 


e increasing demand; 

e influencing the future regulation of online harms; 

e providing appropriate products and services to SMOs; 

e Management Board and Executive Team capacity and resilience; 
e the COVID-19 pandemic; 

e managing the ICO’s reputation; 

e the political and economic environment; and 

e staff wellbeing. 


In addition, throughout 2019/20, we continued to work to mitigate the key 
corporate risks to achieving our six strategic goals. 


Key risk area Mitigation approach 
The impact of exiting the EU and the Coordinated planning and response 
resulting uncertainty. through the ICO’s EU Withdrawal 


Planning Group. 

Guidance for a range of exit scenarios 
developed and published, with 
accompanying communications for 
small and medium sized 
organisations. 

Ongoing liaison with UK government, 
EU counterparts and other data 
protection authorities. 

Development of operational demand 
plans to deal with increased volumes 


of enquiries. 
Development of a service culture to Implementation of a service 
deliver responsive and reliable excellence programme including 
services for our stakeholders. research and training. 

Launch of ICO corporate values. 
Development of infrastructure and Internal and external audit. 
culture to ensure we are compliant Suite of internal policies covering 


financial, procurement, HR, corporate, 
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with all relevant legal and other information governance and security 
obligations. obligations. 
Audit Committee oversight of the 
ICO's internal controls framework. 


Dedicated resources in place. 
Detailed project plans including 
utilising external research and 
consultation. 


Delivery of the ICO's statutory Codes 
of Practice. 


The ICO also received an internal audit (via Mazars, our internal auditor) of our 
risk management policies, procedures and practices. This audit gave a finding of 
"adequate assurance" (this is defined as "There is generally a sound control 
framework in place, but there are significant issues of compliance or efficiency or 
some specific gaps in the control framework which need to be addressed. 
Adequate assurance indicates that despite this, there is no indication that risks 
are crystallising at present.") 


The main area of uncertainty for the future, at the time of writing this report, is 
the COVID-19 pandemic. This pandemic has a direct impact on the ICO's 
operations and priorities, and may well have a long-term impact on the ICO's 
future operations and priorities, even after the UK and world returns to normal 
as the pandemic eases. 


In addition, there is still uncertainty about the UK's exit from the European 
Union and establishing its new international position. This is vital for the ICO, as 
international trade relies heavily on the ease with which data can travel across 
borders and the trust and confidence consumers have when it does. In the run- 
up to the EU exit, the ICO has devoted significant resources to developing our 
bilateral relationships with other data protection authorities, both in the EU and 
beyond. 


Sources of assurance 


As Accounting Officer the Information Commissioner has responsibility for 
reviewing the effectiveness of the system of internal control, including the risk 
management framework. This review is informed by the work of the internal 
auditors and senior managers who have responsibility for the development and 
maintenance of the internal control framework, and comments made by the 
external auditors in their management letter and other reports. 


2019/20 was the second year of our contract for internal audit with Mazars, who 
will provide our internal audit services until June 2021. In their annual report, 
they gave an opinion that the framework of governance, risk management, and 
control is moderate in its overall adequacy and effectiveness ("moderate" is 
defined by Mazars as "some improvements are required to enhance the 
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adequacy and effectiveness of the framework of governance, risk management 
and control.”). Mazars stated that “on the basis of our audit work, our opinion on 
the framework of governance, risk management, and control is Moderate in its 
overall adequacy and effectiveness. Certain weaknesses and exceptions were 
highlighted by our audit work, however none were considered fundamental. 
These matters have been discussed with management, to whom we have made 
a number of recommendations. All of these have been, or are in the process of 
being addressed, as detailed in our individual reports.” (“Moderate” is defined by 
Mazars as “Some improvements are required to enhance the adequacy and 
effectiveness of the framework of governance, risk management and control.”). 
Mazars made 39 recommendations in their audits during 2019/20, of which 28 
have been implemented during the year. 


The Information Commissioner is satisfied that a plan to address weaknesses in 
the system of internal control and to ensure continuous improvement of the 
system is in place. The Information Commissioner is also satisfied that all 
material risks have been identified and that those risks are being properly 
managed. 
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Remuneration policy 


Schedule 4 to the DPA 2018 states that the salary of the Information 
Commissioner be specified by a Resolution of the House of Commons. In March 
2018 the House resolved that the salary would be £160k per annum from 1 April 
2018. The salary is paid directly from the Consolidated Fund. In addition to this 
salary, the Information Commissioner also receives a non-consolidated, non- 
pensionable annual allowance of £20,000. 


In January 2018 the ICO was granted pay flexibility from 1 April 2018 to 31 
March 2021 to enable it to review its pay and grading structure. During this 
period the ICO has the flexibility to determine the levels of pay necessary for it 
to maintain the expertise it needs to fulfil its functions as a supervisory 
authority. In exercising this flexibility, the assumption is that matching market 
averages will be the upper limit of the ICO’s pay levels, since a public sector 
organisation’s pay should be slightly below averages in the wider market. This 
flexibility is also subject to standard public spending principles and the 
Information Commissioner will keep HM Treasury and DCMS updated with how 
this flexibility is being exercised. 


In making decisions on remuneration the Information Commissioner has regard 
to the following considerations: 


e the need to recruit, retain and motivate suitably able and qualified people; 
e government policies for improving the public services; 

e the funds available to the Information Commissioner; and 

e Treasury pay guidance. 


In matters relating to Executive Team pay, the Information Commissioner also 
has regard to the recommendations of the Remuneration Advisory Panel 
(established from February 2019). 


During 2019/20, as part of delivering pay flexibility, a career progression 
framework was implemented. This framework creates a means by which the ICO 
can recognise and reward staff, based on increased personal competence, 
contribution and impact within the role, aligned to the organisation’s vision and 
values. The framework has allowed us to attract and retain higher quality staff. 


Once this period of pay flexibility finishes after 2020/21, the ICO will revert to 
being subject to standard public sector pay policy guidelines issued by HMT, 
unless otherwise negotiated. As such, the remuneration of staff and other 
officers will be determined by the Information Commissioner in consultation with 
the Secretary of State and Treasury 


Staff appointments are made on merit on the basis of fair and open competition 
and, unless otherwise stated, are open-ended until normal retiring age. 
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Individuals who are made redundant are entitled to receive compensation as set 
out in the Civil Service Compensation Scheme. 


During 2019/20, Non-Executive Directors were paid an annual salary of £13,824 
and are appointed for an initial term of three years, renewable by the 
Information Commissioner by mutual agreement. Additional payment was made 
for additional days worked. 


The salary for the Non-Executive Directors is based on 16 days at a rate of £864 
per day. In light of the increased demands place on the Non-Executive Directors, 
for 2020/21 onwards, the number of days contribution required from the Non- 
Executive Directors will increase to 26. Therefore, the annual salary of Non- 
Executive Directors will increase to £22,464. 
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Remuneration and staff report 


Salary and pension entitlements (audited) 


Details of the remuneration and pension interests of the Information 
Commissioner and her most senior officials are provided below. 


Remuneration (salary, bonuses, benefits in kind and pensions) 


Officials 


Elizabeth 
Denham 
Information 
Commissioner 


Paul Arnold 
Deputy CEO 


Steve Wood 
Deputy 
Commissioner 
(Regulatory 
Strategy) 


James Dipple- 
Johnstone 
Deputy 
Commissioner 
(Regulatory 
Supervision) 


Simon 
McDougall 
Executive 
Director 
(Technology 
and 
Innovation)? 


Ailsa Beaton 
Non- 
Executive 
Board 
Member 


David Cooke 
Non- 
Executive 
Board 
Member 


Peter 
Hustinx® 
Non- 
Executive 
Board 
Member 


2019/ 
20 


180- 
185! 


115- 
120 


105- 
110 


115- 
120 


115- 
120 


20-25 


10-15 


10-15 


Salary 


(£'000) 


2018/ 
19 


180- 
185! 


95- 
100 


95- 
100 


100- 
105 


50-55 
(full 
year 
105- 
110 


15-20 


25-30 


Benefits in 
kind (-nearest 
£100) 

2019/  2018/ 
20 19 

- 100 

- 100 

- 100 

100 - 


Compensation 
schemes 
(£'000) 


2019/ 2018/ 
20 19 


Pension 
benefits 
(£'000) 
(-nearest 
£1,000) 
2019/  2018/ 
20 19 
61 61 
74 144 
48 97 
23? 17.5? 
303* 21 


Total (£'000) 


2019/ 
20 


240-245 


190-195 


150-155 


135-140 


415-420 


10-15 


2018/ 
19 


240- 
245! 


235- 
240 


190- 
195 


115- 


120 


75-80 


15-20 


25-30 
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Salary Pension 
benefits 
Benefits in Compensation (£'000) 
kind (-nearest schemes (-nearest 
Officials (£'000) £100) (£'000) £1,000) Total (£'000) 
2019/ 2018/ 2019/ 2018/ 2019/ 2018/ 2019/ 2018/ 2019/ 2018/ 
20 19 20 19 20 19 20 19 20 19 
Jane McCall 
Non- 
Executive 15-20 15-20 E = - = - = 15-20 15-20 
Board 
Member 
Nicola Wood 
Non- 
Executive 10-15 20-25 = = = z - = 10-15 20-25 
Board 
Member 
Notes: 


1. This includes a non-consolidated, non-pensionable annual allowance of £20,000. 


2. James Dipple-Johnstone is a member of a Partnership pension scheme. We are required to 
disclose Employer contributions to pensions to the nearest £100. 


3. Appointed October 2018. 
4. This figure includes the transfer in of another pension. 
5. Appointed April 2019. 


The value of pension benefits accrued during the year is calculated as the real 
increase in pension multiplied by 20 plus the real increase in any lump sum, less 
the contributions made by the individual. The real increases exclude increases 
due to inflation or any increase or decrease due to a transfer of pension rights. 


Salary comprises gross salary and any other allowance to the extent that it is 
subject to UK taxation. There were no bonus payments to Board Members in 
2019/20. 


All benefits in kind relate to the ICO's contribution to the ICO's health care plan 
provided by BHSF. 
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Executive Director 
(Technology and 
Innovation) 


Notes: 


1. Member of partnership pension scheme. 
The Cash Equivalent Transfer Value (CETV) figures are provided by MyCSP, the ICO’s 
Approved Pensions Administration Centre, who have assured the ICO that they have been 
correctly calculated following guidance provided by the Government Actuary’s Department. 


Pension Benefits (audited) 
Accrued Real increase CETV at CETV at Real 
pension at in pension 31 March 31 increase 
pension age and related 2020 March in 
asat31 lump sum at 2019 CETV 
March pension age 
2020 and 
related lump 
sum 
£'000 £'000 £'000 £'000 £'000 
Elizabeth Denham 10-15 2.5-5 215 149 47 
Information 
Commissioner 
Paul Arnold 30-35 plus a 2.5-5 plus a 533 410 41 
Deputy CEO lump sum of lump sum of 
70-75 2.5-5 
Steve Wood 20-25 2.5-5 341 295 25 
Deputy 
Commissioner 
(Regulatory 
Strategy) 
James Dipple- - - - - - 
Johnstone Deputy 
Commissioner 
(Regulatory 
Supervision)1 
Simon McDougall 15-20 15-17.5 183 14 20 


Partnership pensions 


There is one member of staff included in the list of the Commissioner's most 
senior staff who has a partnership pension. Please see note 2 to the table on 
pages 99 to 100. 


Civil Service pensions 


Further details about the Civil Service pension arrangements are available at 
civilservicepensionscheme.org.uk. 
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Cash Equivalent Transfer Values (CETV) 


A CETV is the actuarially assessed capitalised value of the pension scheme 
benefits accrued by a member at a particular point in time. The benefits valued 
are the member’s accrued benefits and any contingent spouse’s pension payable 
from the scheme. It represents the amount paid made by a pension scheme or 
arrangement to secure pension benefits in another pension scheme or 
arrangement when the member leaves a scheme and chooses to transfer the 
benefits accrued in their former scheme. 


The pension figures shown relate to the benefits that the individual has accrued 
as a consequence of their total membership of the pension scheme, not just 
their service in a capacity to which disclosure applies. 


The figures include the value of any pension benefit in another scheme or 
arrangement that the individual has transferred to the Civil Service pension 
arrangements. They also include any additional pension benefit accrued to the 
member as a result of their purchasing additional pension benefits at their own 
cost. CETV’s are worked out in accordance with The Occupational Pensions 
Schemes (Transfer Values) (Amendment) Regulations 2008 and do not take 
account of any actual or potential reduction to benefits resulting from Lifetime 
Allowance Tax which may be due when pension benefits are taken. 


Real increase in CETV 


This reflects the increase in CETV that is funded by the employer. It does not 
include the increase in accrued pension due to inflation, contributions paid by 
the employee (including the value of any benefits transferred from another 
pension scheme or arrangement) and uses common market valuation factors for 
the start and end of the period. 


Pay multiples (audited) 


Reporting bodies are required to disclose the relationship between the 
remuneration of the highest paid director in their organisation and the median 
remuneration of the organisation’s workforce. The Information Commissioner is 
deemed to be the highest paid director and no member of staff receives 
remuneration higher than the highest paid director. 


The banded remuneration of the highest paid director of the ICO in the financial 
year 2019/20 was £180k to £185k (2018/19: £180k to £185k). This was 5.9 
times (2018/19: 6.6 times) the median remuneration of the workforce, which 
was £30,626 (2018/19: £27,096). The median total remuneration is calculated 
by ranking the annual full-time equivalent salary as at 31 March 2020 for each 
member of staff. 


Staff remuneration ranged from £19,299 to £180,000 (2018/19: £19,299 to 
£180,000). 
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Total remuneration includes salary, non-consolidated performance-related pay 
and benefits-in-kind. It does not include severance payments, employer pension 
contributions or the CETV of pensions. 


During 2019/20, as stated above, the ICO had permission to exercise pay 
flexibility, although it still adheres to the principle of government pay restraint 
policies. 


Number of senior civil service staff (or equivalent) by band 


The Information Commissioner, the two Deputy Commissioners, the Deputy 
Chief Executive Officer, the Executive Director - Technology and Innovation and 
the five Non-Executive Directors are the only staff categorised as being ata 
grade equivalent to the senior civil service. 


Staff composition 


As of the end of 2019/20 there were 10 members of the Management Board, of 
whom six were male and four were female. In total in the ICO, 37.3% of staff 
were male and 62.7% female. 


Sickness absence 


The average number of sick days taken per person during the year was 7.2 days 
(2018/19: 5.5 days). 


Staff policies relating to the employment of disabled persons 


The ICO's recruitment processes ensure that shortlisting managers only assess 
the applicant's skills, knowledge and experience for the job. All personal 
information is removed from applications before shortlisting. 


The ICO applies the Disability Confident standard for job applicants who are 
disabled. It has also assisted in the continued employment of disabled people by 
providing a work environment that is accessible and equipment that allows 
people to perform effectively. Our disabled staff are given equal access to 
training and promotion opportunities and adjustments are made to work 
arrangements, work patterns and procedures to ensure that people who are, or 
become, disabled, are treated fairly and can continue to contribute to the ICO's 
aims. 


Staff numbers and costs (audited) 


As at 31 March 2020 the ICO had 768 permanent staff (720.3 full time 
equivalents). 
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Average number of full time equivalents during 2019/20 
Permanently Temporarily 2019/20 2018/19 
employed staff employed staff Total Total 
Directly employed 700.2 6 706.2 606 
Agency staff 0 20.7 20.7 32 
Total employed 700.2 26.7 726.9 638 
Staff costs 
Permanently 
employed 2019/20 2018/19 
staff Others Total Total 
£000 £000 £000 £000 
Wages and salaries 27,369 1,639 29,008 22,840 
Social security 2,942 - 2,942 2,154 
costs 
Other pension - 7,126 4,050 
costs 7,126 
Sub-total 37,437 1,639 39,076 29,044 
Less recoveries in 0 - 0 (1) 
respect of outward 
secondments 
Total net costs 37,437 1,639 39,076 29,043 


Included in staff costs above are notional costs of £256k (2018/19: £220k) in 
respect of salary and pension entitlements of the Information Commissioner and 
the associated employers national insurance contributions (which are credited 
directly to the General Reserve), temporary agency staff costs of £0.746m 
(2018/19: £1.415m) and inward staff secondments of £894k (2018/19: £453k), 


as well as the amounts disclosed in the Remuneration section above. 
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Expenditure on consultancy 


During 2019/20 there was expenditure totalling £665k on consultancy as defined 
in Cabinet Office spending controls guidance (2018/19: £329k). 


This expenditure mainly relates to external support in establishing the ICO’s pay 
flexibility policies. It also includes support which has been necessary in other 
areas during our growth in the last year, such as forensic work, preparation for 
the UK’s EU exit, strategic communications, and research. 


Off-payroll engagements 


There were no off-payroll engagements during 2019/20. 


Exit packages (audited) 


Redundancy and other departure costs are paid in accordance with the 
provisions of the Civil Service Compensation Scheme, a statutory scheme made 
under the Superannuation Act 1972. Exit costs are accounted for in full in the 
year of departure. Where the Information Commissioner has agreed early 
retirements, the additional costs are met by the Information Commissioner and 
not by the Principle Civil Service Pension Scheme (PCSPS). Ill health retirement 
costs are met by the pension scheme and are not included in the table above. 


There were no compulsory redundancies in 2019/20 (2018/19: none) and no 
other exit packages. 


Ex-gratia payments made outside of the provisions of the Civil Service 
Compensation Scheme are agreed directly with the Treasury. 


Trade union facility time 


Relevant union officials 


Number of employees who were 14 
relevant union officials during the 
relevant period 


Full time equivalent employee number 0.49 


Percentage of time spent on 
facility time 


0% 0 
1-50% 14 
5196-9996 0 
100% 0 
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Percentage of pay bill spent on facility time 


Total cost of facility time £15,679.68 
Total pay bill £29,006,000 
Percentage 0.05% 


Paid trade union activities 


Time spent on trade union activities as 20% 
a percentage of total paid facility time 
hours 
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Regularity of expenditure (audited) 


There are no regularity of expenditure issues. 


Fees and charges (audited) 


Information on fees collected from data controllers who notify their processing of 
personal data under the DPA is provided in the Financial Performance Summary, 
as part of the performance report earlier in this document. Further information 
on data protection fees is also set out in notes 1.5 and 2 to the financial 
statements. 


Remote contingent liabilities (audited) 


Please see note 18 to the accounts. 


Long-term expenditure trends 


The ICO is collecting fees under the GDPR and Data Protection (Charges and 
Information) Regulations 2018 - this fee structure allows the ICO to better 
match fee income to the cost of regulation. Fee income was initially budgeted to 
increase to over £57m this financial year, and to approximately £60m by 2021- 
22. There is now however a material risk that this will not happen in 2020/21 
due to the impact of COVID-19 on our ability to generate data protection fee 
income. We have currently revised down the projections for fee income to 
2020/21 to £54m. We are ensuring we maintain dialogue with DCMS about the 
impact of COVID-19. 


Grant-in-aid for our freedom of information work has slightly increased to £4m 
per annum. 


xA 


Elizabeth Denham 
7 July 2020 
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The Certificate and Report of the 
Comptroller and Auditor General to the 
Houses of Parliament 


Opinion on financial statements 


I certify that I have audited the financial statements of Information 
Commissioner's Office for the year ended 31 March 2020 under the Data 
Protection Act 2018. The financial statements comprise: the Statements of 
Comprehensive Net Expenditure, Financial Position, Cash Flows, Changes in 
Taxpayers’ Equity; and the related notes, including the significant accounting 
policies. These financial statements have been prepared under the accounting 
policies set out within them. I have also audited the information in the 
Accountability Report that is described in that report as having been audited. 


In my opinion: 


e the financial statements give a true and fair view of the state of 
Information Commissioner’s Office affairs as at 31 March 2020 and of net 
expenditure for the year then ended; and 


e the financial statements have been properly prepared in accordance with 
the Data Protection Act 2018 and Secretary of State directions issued 
thereunder. 


Opinion on regularity 


In my opinion, in all material respects the income and expenditure recorded in 
the financial statements have been applied to the purposes intended by 
Parliament and the financial transactions recorded in the financial statements 
conform to the authorities which govern them. 


Basis of opinions 


I conducted my audit in accordance with International Standards on Auditing 
(ISAs) (UK) and Practice Note 10 ‘Audit of Financial Statements of Public Sector 
Entities in the United Kingdom’. My responsibilities under those standards are 
further described in the Auditor’s responsibilities for the audit of the financial 
statements section of my certificate. Those standards require me and my staff to 
comply with the Financial Reporting Council’s Revised Ethical Standard 2016. 


I am independent of the Information Commissioner’s Office in accordance with 
the ethical requirements that are relevant to my audit and the financial 
statements in the UK. My staff and I have fulfilled our other ethical 
responsibilities in accordance with these requirements. I believe that the audit 
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evidence I have obtained is sufficient and appropriate to provide a basis for my 
opinion. 


Conclusions relating to going concern 


I have nothing to report in respect of the following matters in relation to which 
the ISAs (UK) require me to report to you where: 


e the Information Commissioner's Office's use of the going concern basis of 
accounting in the preparation of the financial statements is not 
appropriate; or 

e the Information Commissioner’s Office have not disclosed in the financial 
statements any identified material uncertainties that may cast significant 
doubt about the Information Commissioner's Office's ability to continue to 
adopt the going concern basis of accounting for a period of at least twelve 
months from the date when the financial statements are authorised for 
issue. 


Responsibilities of the Board and Accounting Officer for the 
financial statements 


As explained more fully in the Statement of Information Commissioner's 
Responsibilities, the Accounting Officer is responsible for the preparation of the 
financial statements and for being satisfied that they give a true and fair view. 


Auditor's responsibilities for the audit of the financial 
statements 


My responsibility is to audit, certify and report on the financial statements in 
accordance with the Data Protection Act 2018. 


An audit involves obtaining evidence about the amounts and disclosures in the 
financial statements sufficient to give reasonable assurance that the financial 
statements are free from material misstatement, whether caused by fraud or 
error. Reasonable assurance is a high level of assurance, but is not a guarantee 
that an audit conducted in accordance with ISAs (UK) will always detect a 
material misstatement when it exists. Misstatements can arise from fraud or 
error and are considered material if, individually or in the aggregate, they could 
reasonably be expected to influence the economic decisions of users taken on 
the basis of these financial statements. 


As part of an audit in accordance with ISAs (UK), I exercise professional 
judgment and maintain professional scepticism throughout the audit. I also: 


e identify and assess the risks of material misstatement of the financial 
statements, whether due to fraud or error, design and perform audit 
procedures responsive to those risks, and obtain audit evidence that is 
sufficient and appropriate to provide a basis for my opinion. The risk of not 


109 


Annual report 2019/20 | Accountability report 


detecting a material misstatement resulting from fraud is higher 
than for one resulting from error, as fraud may involve collusion, 
forgery, intentional omissions, misrepresentations, or the override 
of internal control; 


e obtain an understanding of internal control relevant to the audit in order to 
design audit procedures that are appropriate in the circumstances, but not 
for the purpose of expressing an opinion on the effectiveness of the 
Information Commissioner's Office's internal control; 


e evaluate the appropriateness of accounting policies used and the 
reasonableness of accounting estimates and related disclosures made by 
management; 


e evaluate the overall presentation, structure and content of the financial 
statements, including the disclosures, and whether the consolidated 
financial statements represent the underlying transactions and events in a 
manner that achieves fair presentation; and 


e conclude on the appropriateness of the Information Commissioner's 
Office's use of the going concern basis of accounting and, based on the 
audit evidence obtained, whether a material uncertainty exists related to 
events or conditions that may cast significant doubt on the Information 
Commissioner's Office's ability to continue as a going concern. If I 
conclude that a material uncertainty exists, I am required to draw 
attention in my report to the related disclosures in the financial statements 
or, if such disclosures are inadequate, to modify my opinion. My 
conclusions are based on the audit evidence obtained up to the date of my 
report. However, future events or conditions may cause the Information 
Commissioner's Office to cease to continue as a going concern. 


I communicate with those charged with governance regarding, among other 
matters, the planned scope and timing of the audit and significant audit findings, 
including any significant deficiencies in internal control that I identify during my 
audit. 


In addition, I am required to obtain evidence sufficient to give reasonable 
assurance that the income and expenditure reported in the financial statements 
have been applied to the purposes intended by Parliament and the financial 
transactions conform to the authorities which govern them. 


Other Information 


The Accounting Officer is responsible for the other information. The other 
information comprises information included in the annual report, other than the 
parts of the Accountability Report described in that report as having been 
audited, the financial statements and my auditor's report thereon. My opinion on 
the financial statements does not cover the other information and I do not 
express any form of assurance conclusion thereon. In connection with my audit 
of the financial statements, my responsibility is to read the other information 
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and, in doing so, consider whether the other information is materially 
inconsistent with the financial statements or my knowledge obtained in the audit 
or otherwise appears to be materially misstated. If, based on the work I have 
performed, I conclude that there is a material misstatement of this other 
information, I am required to report that fact. I have nothing to report in this 
regard. 


Opinion on other matters 
In my opinion: 

e the parts of the Accountability Report to be audited have been properly 
prepared in accordance with Secretary of State directions made under the 
Data Protection Act 2018; 

e in the light of the knowledge and understanding of the Information 
Commissioner's Office and its environment obtained in the course of the 
audit, I have not identified any material misstatements in the Performance 
Report or the Accountability Report; and 

e the information given in the Performance Report and Accountability Report 
for the financial year for which the financial statements are prepared is 
consistent with the financial statements. 


Matters on which I report by exception 


I have nothing to report in respect of the following matters which I report to you 
if, in my opinion: 
e adequate accounting records have not been kept or returns adequate for 
my audit have not been received from branches not visited by my staff; or 
e the financial statements and the parts of the Accountability Report to be 
audited are not in agreement with the accounting records and returns; or 
e I have not received all of the information and explanations I require for my 
audit; or 
e the Governance Statement does not reflect compliance with HM Treasury's 
guidance. 


Report 


I have no observations to make on these financial statements. 


Gareth Davies 

Comptroller and Auditor General 10 July 2020 
National Audit Office, 

157-197 Buckingham Palace Road 

Victoria 

London SW1W 9SP 
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Statement of comprehensive net 


expenditure 


for the year ended 31 March 2020 


2019/20 
Note £'000 £'000 
Expenditure 


Staff costs 3} 39,076 
Other expenditure 4 13,436 
Depreciation and other non- 4 2,241 15,677 
cash costs 

Total expenditure 54,753 
Income 

Income from activities 5a (49,707) 
Net Expenditure 5,046 


Total comprehensive 


expenditure for the year 5,046 


ended 31 March 


2018/19 
£'000 £'000 


29,043 
13,689 
584 14,273 


43,316 


(39,980) 
3,336 


3,336 


Note: All income and expenditure relates to continuing operations. There was no other 
comprehensive expenditure for the year ended 31 March 2020 (31 March 2019) 


The notes on pages 118 to 139 form part of these financial statements. 
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Statement of financial position 
as at 31 March 2020 
31 March 2020 31 March 2019 
Note £'000 £'000 £'000 £'000 
Non-current assets 
Property, plant and equipment 6 17073 1,839 
Right of use assets 7 3,968 - 
Intangible assets 8 688 36 
Total non-current assets 5,729 1,875 
Current assets 
Trade and other receivables 10 5,390 6,420 
Cash and cash equivalents 11 6,154 Suo 
Total current assets 11,544 9,521 
Total assets 17,273 11,396 
Current liabilities 
Trade and other payables 12 (7,506) (8,647) 
Provisions 13 (911) (35) 
Lease liability 14 (1,487) - 
Non-current assets plus net 7,369 2,714 
current assets 
Non-current liabilities 
Provisions is} (859) (510) 
Lease liability 14 (27759) - 
Assets less liabilities S Sl 2,204 
Taxpayers’ equity 
Revaluation reserve z = 
General reserve 3,751 2,204 
5); 7/sul 2,204 


Note: The notes on pages 118 to 139 form part of these financial statements. 


J 


Elizabeth Denham 
7 July 2020 
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Statement of cash flows 


for the year ended 31 March 2020 


Cash flows from operating activities 
Net expenditure 
Adjustment for non-cash items 


Decrease/(increase) in trade and other 
receivables 


Increase/(decrease) in trade payables 
Use of provisions 
Net cash outflow from operating activities 


Cash flows from investing activities 
Purchase of property, plant and equipment 
Proceeds on sale of property, plant & equipment 
Purchase of intangible assets 

Net cash outflow from investing activities 


Cash flows from financing activities 
Right of use assets - Lease 
Grant-in-aid received from the DCMS 


Net cash inflow from financing activities 


Net increase/(decrease) in cash and cash 


equivalents during the year before adjustment for 


receipts and payments to the Consolidated Fund 


Receipts due to the Consolidated Fund which are 


outside the scope of the Information 
Commissioner’s activities 


Payments of amounts due to the Consolidated 
Fund 


Net increase/(decrease) in cash and cash 
equivalents in the year after adjustment for 
receipts and payments to the Consolidated Fund 


Cash and cash equivalents at the start of the 


year 


2019/20 
Note £'000 


(5,046) 
3,4, 13 3,887 


10 (564) 


12 178 
13 (30) 
(1,575) 


(1,291) 
ID 6,338 
5,047 


ZU 


17899 


(1,658) 


37053 


3,101 


2018/19 
£'000 


(3,336) 
708 
(1,000) 


1,923 
(10) 
(1,715) 


528 


27990 


(3,340) 


178 


27923 
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Cash and cash equivalents at the end of the 


alal 6,154 3,101 
year 


Note: The notes on pages 118 to 139 form part of these financial statements. 
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Statement of changes in taxpayers’ equity 
for the year ended 31 March 2020 


Note 
Balance at 31 March 2018 


Changes in tax payers’ equity 
2018/19 
Grant-in-aid from the DCMS 123 


Comprehensive expenditure for the 
year 


Non-cash charges - Information 
Commissioner’s salary costs 


Balance at 31 March 2019 


Changes in tax payers’ equity 
2019/20 
Grant-in-aid from the DCMS 


Comprehensive expenditure for the 
year 


Non-cash charges - Information 
Commissioner's salary costs 


Balance at 31 March 2020 


Revaluatio 
n reserve 
£'000 


General 
reserve 


£'000 
2,426 


2,896 


(3,338) 


220 


2,204 


6,338 


(5,046) 


256 


3732 


Note: The notes on pages 118 to 139 form part of these financial statements. 


Total 
reserves 


£'000 
2,426 


2,896 


(3,338) 


220 


2,204 


6,338 


(5,046) 


256 


37592 
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Notes to the accounts 


. Statement of accounting policies 


These financial statements have been prepared on a going concern basis in 
accordance with the 2019/20 Government Financial Reporting Manual (FReM) 
issued by HM Treasury. The accounting policies contained in the FReM apply 
International Financial Reporting Standards (IFRS) as adapted or interpreted for 
the public sector context. Where the FReM permits a choice of accounting policy, 
the accounting policy which is judged most appropriate to the particular 
circumstances of the Information Commissioner for the purpose of giving a true 
and fair view has been selected. The particular policies adopted by the 
Information Commissioner are described below. They have been applied 
consistently in dealing with items that are considered material to the accounts. 


1.1. Accounting convention 
These accounts have been prepared under the historical cost convention 
modified to account for the revaluation of property, plant and equipment 
and intangible assets at their value to the business by reference to current 
costs. 


1.2. Disclosure of IFRS in issue but not yet effective 
The Information Commissioner has reviewed and concluded that there are 
no IFRSs in issue and effective yet that are applicable to the ICO. 


1.3. Grant-in-aid 
Grant-in-aid is received from the DCMS to fund expenditure on freedom of 
information work, and is credited to the General Reserve on receipt. 


1.4. Cash and cash equivalents 
Cash and cash equivalents recorded in the Statement of Financial Position 
and Statement of Cash Flows include cash-in-hand, deposits held at call 
with banks, other short-term highly liquid investments and bank overdrafts. 


1.5. Income from activities and Consolidated Fund income 
Income collected under the Data Protection Act 2018 is surrendered to the 
DCMS as Consolidated Fund income, unless the DCMS (with the consent of 
the Treasury) has directed otherwise, in which case it is treated as Income 
from activities. There are three main types of income collected: 


Data protection notification fees 

Fees are collected from annual notification fees paid by data controllers 
required to notify their processing of personal data under the DPA 2018. 
The Information Commissioner has been directed to retain the fee income 
collected to fund data protection work and this is recognised in the 
Statement of Comprehensive Net Expenditure as income. At the end of 
each year, the Information Commissioner may carry forward to the 
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following year sufficient fee income to pay year-end creditors. Any fees in 
excess of the limits prescribed within the Management Agreement with 
DCMS are paid over to the Consolidated Fund. Under IFRS 15, if an entity 
does not satisfy a performance obligation over time, the performance 
obligation is satisfied at a point in time. As fees are recognised and used in 
the year in which they are received, then under IFRS 15 the performance 
obligations are considered to have been satisfied at a point in time. 


The ICO follows a five-step approach to recognising the fee income under 
IFRS15 this is as follows 


Step 1 Identify Contract: In line with guidance from HMT, DP Fee income 
will be treated as a contract with customers. 


Step 2 Identify performance obligations - Based on the services that the 
ICO provide to both organisations (who are liable for the DP fee) and the 
general public, there are no specific performance obligations identifiable but 
rather an ongoing performance with no specific service available for one 
organisation over another. Services are based on (subject and caseload) 
priority and public risk, cases that come on line through investigation 
channels and assurance, annual cycle of advice and guidance publication, 
technical advice and leadership 


Step 3 Determine transaction price - The cost of the DP fee is based on 
size, complexity of organisation and set by the Secretary of State based on 
consultation with the ICO on the forecasted costs of delivering all 
regulatory services to both organisations and the general public. 


Step 4 Allocate price to performance obligations - No specific performance 
obligations specific to one organisation further than overall pubic body 
regulatory obligations therefore there is no viable method of allocating a 
price to obligations (other than the fee cost in its entirety. 


Step 5 Recognise revenue when performance obligations are met - This is 
deemed to be at the point of registration. 


Civil monetary penalties 

The Information Commissioner can impose civil monetary penalties for 
serious breaches of the DPA or PECR of up to £500k up to 25 May 2018 and 
up to 4% of global turnover thereafter. A penalty can be reduced by 20% if 
paid within 30 days of being issued. 


The Information Commissioner can impose fines for not paying the data 
protection fee up to a maximum of £4,350 under the DPA 2018. 


The Information Commissioner does not take action to enforce a civil 
monetary penalty unless and until the period specified in the notice as to 
when the penalty must be paid has expired and the penalty has not been 
paid, all relevant appeals against the monetary penalty notice and any 
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1.6. 


variation of it have either been decided or withdrawn, and the period for 
the data controller to appeal against the monetary penalty and any 
variation of it has expired. 


Civil monetary penalties collected by the Information Commissioner are 
recognised on an accruals basis when issued. They are paid over to the 
Consolidated Fund, net of any early payment reduction when received. Civil 
monetary penalties are not recognised in the Statement of Comprehensive 
Net Expenditure, but are treated as a receivable and payable in the 
Statement of Financial Position. Under IFRS 15 the revenue through fines 
and penalties is recognised as the fine is the equivalent of a taxable event, 
the revenue can be measured reliably, and it is probable that the fine will 
be paid. If the fines are subject to appeal they are not recognised until the 
appeal process is finalised and the fine is confirmed as valid.. 


The amounts recognised are regularly reviewed and subsequently adjusted 
in the event that a civil monetary penalty is varied, cancelled, impaired or 
written off as irrecoverable. Amounts are written off as irrecoverable on the 
receipt of legal advice. Legal fees incurred in recovering debts are borne by 
the ICO. 


IFRS9 requires determination of an amount in respect of expected credit 
losses, reflecting Management’s forward-looking assessment of the 
recoverability of debts. Such an impairment value has been incorporated 
into the financial statements this year. The impairment value is based on 
those CMP cases still being investigated by the Enforcement department at 
year-end and where the expectation of receiving any income from these 
CMPs has diminished over time, but where enforcement investigations are 
still ongoing. 


Sundry receipts 

The Information Commissioner has been directed to retain certain sundry 
receipts such as other legislative funding, grants, management charges, 
reimbursed travel expenses and recovered legal costs. This is recognised in 
the Statement of Comprehensive Net Expenditure as income. 


The Information Commissioner has interpreted the Financial Reporting 
Manual (FReM) to mean that she is acting as a joint agent with the DCMS, 
and that income not directed to be retained as Income from Activities falls 
outside of normal operating activities and are not reported through the 
Statement of Comprehensive Net Expenditure, but disclosed separately 
within the notes to the accounts. This included receipts such as bank 
interest, which is paid to the Consolidated Fund. 


Notional costs 
The salary and pension entitlement of the Information Commissioner are 
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1.8. 


1.9. 


1.10. 


paid directly from the Consolidated Fund and are included within staff costs 
and reversed with a corresponding credit to the General Reserve. 


Pensions 
Past and present employees are covered by the provisions of the Principal 
Civil Service Pensions Scheme. 


Property, plant and equipment 

Assets are classified as property, plant and equipment if they are intended 
for use on a continuing basis, and their original purchase cost, on an 
individual basis, is £2,000 or more, except for laptop and desktop 
computers, which are capitalised even when their individual cost is below 
E2000: 


Property, plant and equipment (excluding assets under construction) is 
valued under a depreciated historical cost basis as a proxy for current value 
in existing use or fair value for assets that have short useful lives or low 
values. 


At each balance sheet date the carrying amounts of property, plant and 
equipment and intangible assets are reviewed to determine whether there 
is any indication that those assets have suffered an impairment loss. If any 
such indication exists the fair value of the asset is estimated in order to 
determine the impairment loss. Any impairment charge is recognised in the 
Statement of Comprehensive Net Expenditure account in the year in which 
it occurs. 


Depreciation 

Depreciation is provided on property, plant and equipment on a straight- 
line basis to write off the cost or valuation evenly over the asset's 
anticipated life. A full year's depreciation is charged in the year in which an 
asset is brought into service. No depreciation is charged in the year of 
disposal. The principal lives adopted are: 


Information Technology Between 5 and 10 years 
Plant and Machinery Between 5 and 10 years 
Leasehold improvements Over remainder of the property lease 


Right of use assets Over the remainder of the lease period 


Intangible assets and amortisation 

Intangible assets are stated at the lower of replacement cost and 
recoverable amount. Computer software licences and their associated costs 
are capitalised as intangible assets where expenditure of £2,000 or more is 
incurred. Software licences are amortised over their useful economic life 
which is estimated as four years or the length of the contract, whichever is 
the shorter term. 
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1.11. Leases 
IFRS 16 “Leases” has been implemented from 1 April 2019; this introduces 
a single lessee accounting model that requires a lessee to recognise assets 
and liabilities for all leases (apart from the exemptions included below). 


For government bodies reporting under the FReM, IFRS 16 is due to be 
brought into effect on 1 April 2020 and replaces IAS 17 (Leases). DCMS has 
elected, with HMT authority, to early adopt IFRS 16 (as adapted by the 
HMT’s IFRS 16 leases application guidance). As part of the DCMS group, 
ICO is therefore implementing from 1 April 2019. 


In respect of lessees, IFRS 16 removes the distinction between operating 
and finance leases and introduces a single accounting model that requires a 
lessee to recognise (‘right-of-use’) assets and lease liabilities. 


The definition of a lease has been updated under IFRS 16, there is more 
emphasis on being able to control of the use of asset identified in a 
contract. There are new requirements for variable lease payments such as 
RPI/CPI uplifts; and there is an accounting policy choice allowable to 
separate non-lease components. 


Implementation and Assumptions 


The DCMS group, and so ICO, has applied IFRS 16 using the modified 
retrospective approach and therefore the comparative information has not 
been restated and continues to be reported under IAS 17 and IFRIC 4. The 
cumulative effect of adopting IFRS 16 is included as an adjustment to 
equity at the beginning of the current period (£nil for ICO). IAS 17 
operating leases are included within our statement of financial position as a 
lease liability and right of use asset for the first time with changes made 
through the general fund as a cumulative catch up adjustment. The 
calculation of the lease liability and right of use assets are included below. 


The option to reassess whether a contract is, or contains, a lease at the 
date of initial application has not been used, the group, and so ICO, has 
used the practical expedient detailed in IFRS 16(C3).1. 


The group has expanded the definition of a lease to include arrangements 
with nil consideration. Peppercorn leases are examples of these, these are 
defined by HMT as lease payments significantly below market value. These 
assets are fair valued on initial recognition. On transition any differences 
between the discounted lease liability and the right of use asset are 
included through cumulative catch up. Any differences between the lease 
liability and right of use asset for new leases after implementation of IFRS 
16 are recorded in income on the SoCNE. 


The group, and so ICO, has elected not to recognise right of use assets and 
lease liabilities for the following leases: 
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- intangible assets; 
- non-lease components of contracts where applicable; 


- low value assets (these are determined to be in line with capitalisation 
thresholds on Property, Plant and Equipment except vehicles which 
have been deemed to be not of low value) ; and 


- leases with a lease term of 12 months or less. 
Previous treatment 


In the comparative period, as a lessee the ICO would have classified leases 
that transferred substantially all the risks and rewards of ownership as 
finance leases. The ICO did not hold leases considered to be finance leases 
in 2018/19. 


Assets previously held as operating leases were not recognised in the 
groups statement of financial position. Payments were recognised in SoCNE 
on a straight line basis over the term of the lease. Lease incentives were 
recognised as an integral part of the total lease expense, over the term of 
the lease. 


Policy applicable from 1 April 2019 


At inception of a contract, the ICO assesses whether a contract is, or 
contains, a lease. A contract is, or contains a lease if the contract conveys 
the right to control the use of an identified asset for a period of time. This 
includes assets for which there is no consideration. To assess whether a 
contract conveys the right to control the use of an identified asset, the 
group assesses whether: 


- The contract involves the use of an identified asset; 


- The group has the right to obtain substantially all of the economic 
benefit from the use of the asset throughout the period of use; and 


- The group has the right to direct the use of the asset. 


The policy is applied to contracts entered into, or changed, on or after 1 
April 2019. 


At inception or on reassessment of a contract that contains a lease 
component, the group allocates the consideration in the contract to each 
lease component on the basis of the relative standalone prices. 


The group assesses whether it is reasonably certain to exercise break 
options or extension options at the lease commencement date. The group 
reassesses this if there are significant events or changes in circumstances 
that were anticipated. 
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Right of use assets 


On transition to IFRS16 the ICO recognises a right of use asset and a lease 
liability at the lease commencement date. The right-of-use asset is initially 
measured at the amount equal to the lease liability, adjusted by the 
amount of any prepaid or accrued lease liability (present value of minimum 
lease payments), and subsequently at the amount less accumulated 
depreciation and impairment losses, and adjusted for certain re- 
measurements of the lease liability. Right-of-use assets are held at current 
cost in accordance with HMT IFRS 16 guidance. Depreciated historic cost is 
used as a proxy for current value as directed by HMT guidance on IFRS 16, 
including for property leases, because property leases are sufficient short in 
term and are not expected to fluctuate significantly due to changes in 
market prices. Lease payments only include the direct cost of the leases 
and do not include other variables. Lease terms are determined based on 
advice from the Government Property Unit and in accordance with the 
business needs of the ICO. 


The right-of-use asset is depreciated using the straight line method from 
the commencement date to the earlier of the end of the useful life of the 
right-of-use asset or the end of the lease term. The estimated useful lives 
of the right-of-use assets are determined on the same basis of those of 
property plant and equipment assets. 


The group applies IAS 36 Impairment of Assets to determine whether the 
right-of-use asset is impaired and to account for any impairment loss 
identified. 


Lease liabilities 


The lease liability is initially measured at the present value of the lease 
payments that are not paid at the commencement date, discounted using 
the interest rate implicit in the lease or where that is not readily 
determinable, the discount rate as provided by HM Treasury of 1.99% for 
leases entered into prior to 31 Dec 2019 or 1.27% after 1 Jan 2020. The 
lease liability only includes the direct lease cost and excludes any service 
charges. The length of each lease is determine on signing the contractual 
terms following agreement with the landlord and after gaining permission 
from the Government Property Unit 


The lease payment is measured at amortised cost using the effective 
interest method. It is re-measured when there is a change in future lease 
payments arising from a change in the index or rate, if there is a change in 
the group’s estimates of the amount expected to be payable under a 
residual value guarantee, or if the group changes its assessment of whether 
it will exercise a purchase, extension or termination option. 
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Lease payments included in the measurement of the lease liability comprise 
the following: 


- Fixed payments, including in-substance fixed payments; 


- Variable lease payments that depend on an index or a rate, initially 
measured using the index rate as at the commencement date; 


- Amounts expected to be payable under a residual value guarantee; 


- The exercise price under a purchase option that the group is reasonably 
certain to exercise, lease payments in an optional renewal period if the 
ICO is reasonably certain to exercise an extension option, and penalties 
for early termination of a lease unless the ICO is reasonably certain not 
to terminate early. 


The lease liability is subsequently increased by the interest cost on the 
lease liability and decreased by lease payments made. It is re-measured 
when there is a change in the future lease payments arising from a change 
in an index or rate, a change in the estimate of the amount expected to be 
payable under a residual value guarantee, or as appropriate, changes in the 
assessment of whether a purchase or extension option is reasonably certain 
to be exercised or a termination option is reasonably certain not to be 
exercised. 


When the lease liability is re-measured a corresponding adjustment is made 
to the right of use asset or recorded in the SoCNE if the carrying amount of 
the right of use asset is zero. 


ICO presents right of use assets that don't meet the definition of 
investment properties per IAS40 as right of use assets on the Statement of 
Financial Position. The lease liabilities are included within Lease liabilities 
within current and non-current liabilities on the Statement of Financial 
Position. 


Impact on financial statements 


On transition to IFRS 16, ICO recognised an additional £4,279k of right of 
use assets and £4,279k of lease liabilities, therefore recognising £nil 
difference in the General Reserve account. 


When measuring lease liabilities, the group discounted lease payments 
using rates set out above. 


£000's 


Operating lease commitment at 31 March 2019 |4,616 
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1.12. 


1.13. 


1.14. 


1.15. 


Discounted using discount rates (210) 


Finance Lease liabilities at 31 March 2019 


- Exemptions for 


o Short terms leases C127) 


o Leases of low value assets - 


- Extension and termination options - 
reasonably certain to be exercised 


- Variable lease payments based on an - 
index or a rate 


- Residual value guarantees = 


Lease liabilities recognised at 1 April 2019 | 4,279 


Provisions 

Provisions are recognised when there is a present obligation as a result of a 
past event where it is probable that an outflow of resources will be required 
to settle the obligation and a reliable estimate of the amount of the 
obligation can be made. 


Value added tax 

The Information Commissioner is not registered for VAT as most activities 
of the Information Commissioner's Office are outside of the scope of VAT. 
VAT is charged to the relevant expenditure category, or included in the 
capitalised purchase cost of non-current assets. 


Segmental reporting 
The policy for segmental reporting is set out in note 2 to the Financial 
statements. 


Impact of COVID 19 

The Data Protection Act 2018 makes provision for the ICO to retain certain 
income collected under that Act. DCMS, with the consent of the Treasury, 
has determined which income ICO can retain, and this is described in Note 
1.5 above. The ICO has budgeted income of £61m for the year 2020/21 
which has been restated to account for the potential impact of Covid-19. In 
light of the impact of Covid-19 on the UK economy, the mechanism by 
which the ICO is funded has been reviewed whilst also assessing what the 
impact of Covid-19 on the funding might be. The budget set has taken into 
account the risks over potential fee income and restated accordingly along 
with a similarly review of costs. The ICO continues to review the budget 
and risks within it with DCMS. It is therefore appropriate to adopt a going 
concern basis for the preparation of these financial statements. 
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Expenditure is classed as administrative expenditure except those costs 


2. Analysis of net expenditure by segment 
Data Freedom of Other grant- 2019/20 
protection information in-aid Total 
£'000 £'000 £'000 £'000 
Gross expenditure 48,415 3,750 2,588 54,753 
Income (49,707) E = (49,707) 
Net expenditure (1,292) 3,750 2,588 5,046 
Data Freedom of Other grant- 2018/19 
protection information in-aid Total 
£'000 £'000 £'000 £'000 
Gross expenditure 40,920 3,750 (1,354) 43,316 
Income (39,980) - = (39,980) 
Net expenditure 940 37750 (1,354) 37336 


associated with readiness for legislative changes which have been classified as 


programme. 


The analysis above is provided for fees and charges purposes and for the 


purpose of IFRS 8: Operating Segments. 


The factors used to identify the reportable segments of data protection and 
freedom of information are that the Commissioner's main responsibilities were 
contained within the DPA 2018 and FOIA, and funding during 2019/20 and in 
prior years was provided for data protection work by collecting an annual 
registration fee from data controllers under the DPA, whilst funding for freedom 
of information is provided by a grant-in-aid from the DCMS. Other grant-in-Aid 
related to £500k for network infrastructure and systems regulation, £46k for 
electronic identification and trust services regulation, funding to support pension 
costs £1.4m and funding to support litigation costs £600k. 


The data protection notification fee was set by the Secretary of State, and in 
making any fee regulations under section 134 of the DPA 2018, as amended by 
paragraph 17 of Schedule 2 to FOIA, the Secretary of State had to have regard 
to the desirability of securing that the fees payable to the Commissioner were 
sufficient to offset the expenses incurred by the Commissioner, the Information 


Tribunal and any expenses of the Secretary of State in respect of the 
Commissioner of the Tribunal, and any prior deficits incurred, so far as 


attributable to the functions under the DPA 2018. 


These accounts do not include the expenses incurred by the Information Tribunal 
or the Secretary of State in respect of the Commissioner, and therefore cannot 
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be used to demonstrate that the data protection fees offset expenditure on data 
protection functions, as set out in the DPA 2018. 


Expenditure is apportioned between the data protection and freedom of 
information work on the basis of costs recorded in the ICO’s accounting system. 
This allocates expenditure to various cost centres across the organisation. A 
financial model is then applied to apportion expenditure between data protection 
and freedom of information on an actual basis, where possible, or by way of 
reasoned estimates where expenditure is shared. 


3. Staff numbers and related costs 


Staff costs comprise: Permanently 
employed 2019/20 2018/19 
staff Others Total Total 
£'000 £'000 £'000 £'000 
Wages and salaries 27,369 1,639 29,008 22,840 
Social security costs 2,942 - 2,942 2,154 
Other pension costs 7,126 2 7,126 4,050 
Sub-total 37,437 1,639 39,076 29,044 
Less recoveries in respect 2 z 2 (1) 

of outward secondments 

Total net costs 37,437 1,639 39,076 29,043 


Included in staff costs above are notional costs of £256k (2018/19: £220k) in 
respect of salary and pension entitlements of the Information Commissioner and 
the associated employers national insurance contributions which are credited 
directly to the General Reserve, temporary agency staff costs of £746k 
(2018/19: £1.415m) and inward staff secondments of £894k (2018/19: £453k) 
as well as the amounts disclosed in the Remuneration Report. 


Average number of persons employed 


The average number of whole time equivalent persons employed during the year 
was: 


Permanently Temporarily 


employed employed 2019/20 2018/19 

staff staff Total Total 

Directly employed 706 = 706 606 
Agency staff = 21 21 32 
Total employed 706 2l 727 638 
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Pension arrangements 


The Principal Civil Service Pension Scheme (PCSPS) and the Civil Servant and 
Other Pension Scheme (CSOPS) - known as "alpha" - are unfunded multi- 
employer defined benefit schemes but the Information Commissioner’s Office is 
unable to identify its share of the underlying assets and liabilities. 


The scheme actuary valued the PCSPS as at 31 March 2012. Details can be 
found in the resource accounts of the Cabinet Office Civil Superannuation 


(civilservice.gov.uk/pensions). 


For 2019/20 employers contributions of £6.878m (2018/19: £3.866m) were 
payable to the PCSPS at one of four rates in the range 20% to 24.5% of 
pensionable pay, based on salary bands. The Scheme's Actuary reviews 
employer contributions usually every four years following a full scheme 
valuation. The contribution rates are set to meet the cost of benefits accruing 
during 2019/20 to be paid when the member retires and not the benefits paid 
during the period to existing pensioners. 


Employees can opt to open a ‘Partnership’ account, a stakeholder pension with 
an employer contribution. Employers’ contributions of £196k (2018/19: £142k), 
were paid to one or more of a panel of three appointed stakeholder pension 
providers. Employers’ contributions are age-related and range from 8% to 
14.75% of pensionable pay. In addition, employer contributions of £6k 
(2018/19: £4.9k), 0.8% of pensionable pay, were payable to the Principal Civil 
Service Pension Scheme to cover the cost of future provision of lump sum 
benefits on death in service and ill health retirement of these employees. 


Contributions due to partnership pension providers at the Statement of Financial 
Position date were £6k (2018/19: £6.6k). Contributions prepaid at this date 
were £nil (2018/19: £nil). 


Other pension costs include notional employers' contributions of £53k (2018/19: 
£39k) in respect of notional costs in respect of the Information Commissioner. 


No individuals retired early on health grounds during the year. 


4. Other expenditure 


2019/20 2018/19 
£'000 £'000 £'000 £'000 
Accommodation (Business rates and 879 698 
services) 
Rentals under operating leases 661 1,060 
Office supplies and stationery 508 168 
Carriage and telecommunications 60 58 
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Travel and subsistence 983 1,022 
Staff recruitment 283 579 
Specialist assistance and policy research 1959 2,880 
Communications and external relations 539 834 
Legal costs ISi 974 
Learning and development, health and 500 520 
safety 
IT Service delivery costs 3,248 3,302 
Business development costs 2,962 1,291 
Audit fees 30 30 
Grants Fund 243 273 

13,436 13,689 
Non-cash items 
Depreciation 1,974 439 
Amortisation 236 141 
Loss on disposal of assets Sil 4 

2,241 584 
Total expenditure 15,677 14,273 
5. Income 


5a. Income from activities 
2019/20 2018/19 


£'000 £'000 £'000 £'000 


Fees 48,712 39,256 
Sundry receipts 995 724 
49,707 39,980 


5b. Consolidated Fund income 


2019/20 2018/19 
£'000 £'000 £'000 £'000 
Fees 
Collected under the DPA 48,712 39,256 
Retained under direction as Income from (48,712) (39,256) 
activities 
Civil monetary penalties - 
Investigations 
Penalties issued 2,409 5,436 
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Early payment reductions 
Repaid following a successful appeal 


Uncollectable, cancelled after successful 
appeals 


Re-issued after appeal 
Impairments 


Civil monetary penalties - Non- 
payment of fees 


Penalties Issued 
Impairments 


Sundry receipts 

Receipts under the Proceeds of Crime Act 
Grant income (repaid) 

Bank interest received 

Brexit Funding 

Recovered legal fees 

Reimbursed travel expenses 

Conference fees 


Management Fee from Telephone 
Preference Service 


Income received from The Regulatory 
Pioneers Fund 


Income receipts under the Investigatory 
Powers Act 


Marketing income 


Sundry receipts retained under direction as 
Income from Activities 


Income payable to Consolidated Fund 


Balances held at the start of the year 
Income payable to the Consolidated Fund 
Payments to the Consolidated Fund 


Balances held at the end of the year (note 
12) 


(281) 
(110) 
(2,000) 

18 
287 

287 
1 
190 
20 
48 
81 
79 
229 
330 
17 
995 
(995) 

305 

4,543 

305 

(1,657) 

3,191 


(663) 


1l 


4,773 


ILA 


4,944 


2,939 
4,944 
(3,340) 


4,543 


As set out in note 1.5 income payable to the Consolidated Fund does not form 
part of the Statement of Comprehensive Net Expenditure. Amounts retained 
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under direction from the DCMS with the consent of the Treasury are treated as 
income from activities within the Statement of Comprehensive Net Expenditure. 
The amounts receivable at 31 March 2020 were £2.456m (2018/19: £4.149m) 
and the amounts payable were £2.882m (2018/19: £4.389m). 
The Civil Monetary Payment figure at the year-end date includes all Civil 
Monetary Payments unpaid at that date. 
6. Property, plant and equipment 
Informa- Assets 
tion Plant and Leasehold under 
technol- machin- improve- construc- 2020 2019 
ogy ery ments tion Total Total 
£'000 £'000 £'000 £'000 £'000 £'000 
Cost or 
valuation 
At 1 April 2019 VNZAS 288 2,382 TAO T ZS OTa 
Additions 151 15 378 (1) 543 623 
Transfers - - - (769) (769) - 
Disposals (395) (62) - - (457) (148) 
At 31 March 
2020 59» 241 2,760 - 10,533 11,216 
Depreciation 
At 1 April 2019 6,886 148 2,343 = 9,377 9,083 
Charged in year 379 41 88 = 508 439 
Disposals (390) (36) 1 - (425) (145) 
At 31 March 
2020 6,875 153 2,432 2 9,460 9,377 
Net book 
value at 31 
March 2020 657 88 328 = 1,073 1,839 
Owned 657 88 328 = 1,073 1,839 
Net book 
value at 31 


March 2020 557 88 328 = 17073 1,839 


Property, plant and equipment (excluding assets under construction) is valued 
under a depreciated historical cost basis as a proxy for current value in existing 
use or fair value for assets that have short useful lives or low values. This is 
considered an appropriate model for all classes of assets as the majority have 
useful lives of five years or are considered an immaterial value. 
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Included above are fully depreciated assets, in use with an original cost of 
£5.686m (2018/19: £6.117m). 
The amount of £769k has been transferred from Asset under construction to 
Software licences in 2019/20. In 2018/19 £770k was shown under tangible 
assets whereas it is intangible in nature. 
. Right of use assets 
Long leasehold 
land and 2020 2019 
buildings Total Total 


£'000 £'000 £'000 
Cost or valuation 
At 1 April 2019 - = E 
Right of use assets brought in under 


transition 4,279 4,279 = 
Additions 1,155 1,155 
At 31 March 2020 5,434 5,434 = 


Depreciation 
At 1 April 2019 = = = 


Charged in year 1,466 1,466 - 
At 31 March 2020 1,466 1,466 - 
Net book value at 31 March 2020 3,968 3,968 2 


Asset financing 
Owned 3,968 3,968 = 
Net book value at 31 March 2020 3,968 3,968 = 


The lease on the ICO main premises at Wycliffe House, Wilmslow expired on 1 
January 2017 and a new lease was signed with a break clause in five years. 
Further leases were entered into during the period (see note 15) with no 
dilapidations deemed applicable as at 31 March 2019. A provision has been 
made based upon the assessment by Avison Young (the trading name of GVA), 
commercial property advisers, dated January 2020 and March 2020. A full 
dilapidation report was completed across the full Wilmslow estate during 
2019/20. 


The ICO also occupies government properties in Edinburgh and Cardiff under 
Memorandum of Terms of Occupation agreements ending 2020 and 2024 
respectively. Under these agreements, the ICO may have dilapidations liabilities 
at the end of the term of occupation but these are considered immaterial to 
recognise further. 
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8. Intangible assets 
Software Assets under 2020 2019 
licences construction Total Total 
£'000 £'000 £'000 £'000 
Cost or valuation 
At 1 April 2019 ono - 57379 3,403 
Additions 119 - 119 30 
Disposals (57) - (57) (54) 
Transfers 769 = 769 = 
Reclassifications = 5 = = 
At 31 March 2020 4,210 - 4,210 37379 
Amortisation 
At 1 April 2019 3,343 - 3,343 8/255 
Charged in year 236 - 236 141 
Disposals (57) - (57) (53) 
At 31 March 2020 8522 - 37522 3,343 
Net book value at 31 March 688 = 688 36 
2020 
Asset financing 
Owned 688 - 688 36 


Net book value at 31 March 688 - 688 36 
2020 


The amount of £769k has been transferred from Asset under construction to 
Software licences in 2019/20. In 2018/19 £770k was shown under tangible 
assets whereas it is intangible in nature. 


9. Financial instruments 


As the cash requirements of the Information Commissioner are met through fees 
collected under the DPA 2018 and grant-in-aid provided by the DCMS, financial 
instruments play a more limited role in creating and managing risk than would 
apply to a non-public sector body. The Information Commissioner does not make 
use of any financial instruments beyond standard day to day banking. The 
Information Commissioner has no loans and does not use financial instruments 
to make investment. 


The financial instruments utilised relate to contracts to buy non-financial items in 
line with the Information Commissioner's expected purchase and usage 
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requirements and the Information Commissioner is therefore exposed to little 
credit, liquidity or market risk. 
10. Trade receivables and other current assets 
31 March 31 March 
2020 2019 
£'000 £'000 
Amounts falling due within one 
year: 
Trade debtors 760 405 
Prepayments and accrued income 1,899 1,734 
Sub-total 2,659 2,139 
Consolidated Fund receipts due 4,703 4,297 
Less: amounts impaired (note 5b) (2,000) = 
Other 28 (16) 
Zell Sal 4,281 
5,390 6,420 


11. Cash and cash equivalents 


31 March 31 March 


2020 2019 
£'000 £'000 
Balance at 1 April 3 10n 2,923 
Net change in cash and cash equivalent balances 37058 178 
Balance at 31 March 6,154 3,101 
Split: 
Commercial banks and cash in hand 4,616 2,146 
Government Banking Service 1,538 955 
6,154 SPON 


12. Trade payables and other current liabilities 


31 March 31 March 


2020 2019 
£'000 £'000 
Amounts falling due within one year: 
Taxation and social security 715 621 
Trade payables 994 568 
Other payables 1,261 i155 
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Accruals and deferred income 
Sub-total 
Amount payable to government (note 5b) 


Split: 

Sponsor department - DCMS 
Other central government bodies 
Bodies external to government 


1,344 
4,314 
3,191 
7,505 


Su 

714 
3,600 
LOS 


4,543 

621 
3,483 
8,647 


The amount payable to the sponsor department represents the amount which 
will be due to the Consolidated Fund when all of the income due is collected. 


13. Provision for liabilities and charges 


Pay Award 


2019/ 2018/ 
20 19 
£'000 £'000 


Balance at 1 April = = 


Provided in year 911 5 
Provision utilised in - - 
year 

Balance at 31 March 911 - 


*This represents a reassessment of the provision 


Analysis of expected timing of discounted flow: 


Pay award 


20 19 
£'000 £'000 
Not later than one year 911 - 
Later than one year - - 
and not later than five 
years 
Later than five years = = 
Balance at 31 March 911 - 


Dilapidations 


2019/ 2018/ 


20 ig 
£'000 £'000 
510 605 
349 (O5) 
859 510 
Dilapidations 


2019/ 2018/ 
20 19 
£'000 £'000 


Early departure 


costs 

2019/ — 2018/ 
20 19 
£'000 £000 
35 45 
(5) d 
(30) (10) 

- 35 


Early departure 


costs 

2019/ 2018/ 
20 19 
£'000 £'000 
5 35 

- 55 
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Pay Award 


The pay award for 2019/20 has been proposed as 2% from 1 April 2019 and 
then 5.25% from 24 February 2020. The amount of the pay award payable has 
been provided for at the year-end as the final agreement to implement the 
award is pending the outcome of the Trade Union ballot. 


Dilapidations provision 


The lease on the ICO main premises at Wycliffe House, Wilmslow expired on 1 
January 2017 and a new lease was signed with a break clause in 5 years. 
Further leases were entered into during the period (see note 15) with no 
dilapidations deemed applicable as at 31 March 2019. A provision has been 
made based upon the assessment by Avison Young (the trading name of GVA), 
commercial property advisers, dated January 2020 and March 2020. A full 
dilapidation report was completed across the full Wilmslow estate during 
2019/20. 


The ICO also occupies government properties in Edinburgh and Cardiff under 
Memorandum of Terms of Occupation agreements ending 2020 and 2024 
respectively. Under these agreements, the ICO may have dilapidations liabilities 
at the end of the term of occupation but these are considered immaterial to 
recognise further. 


Early departure costs 


The additional cost of benefits, beyond the normal PCSPS benefits in respect of 
employees who retire early, are provided for in full when the early departure 
decision is approved by establishing a provision for the estimated payments 
discounted by the Treasury discount rate. There were no early departure costs in 
2019/20 (in 2018/19 the discount rate was: 0.10%). The estimated payments 
are provided by MyCSP. 


14. Lease liabilities 


Maturity Analysis — contractual undiscounted cashflows 31 March 2020 

£'000 
Less than one year 1,562 
Between two and five years 2,921 


Later than five years = 


4,483 
Lease Liabilities included in the balance sheet 
Current 1,487 
Non-current 2759 
4,246 


Movement in lease during the year 
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As at 01 April 2019 - on transition to IRFS 16 4,279 
Interest charged to the income statement 103 
Lease Liability in relation to new leases 1,155 
Lease rental payments (1,291) 

4,246 


15. Capital commitments 
There were no capital commitments in the year ended 31 March 2020 (2018/19: 
Enil). 

16. Commitments under operating leases 


The 2019 presentation under IFRS16 Leases includes all leases on balance sheet 
as Right of use assets with a corresponding lease liability, other than leases 
which are short leases (terms of 12 months or less) or low value leases (asset 
value of less than £5,000). Leases that qualify for these exemptions are included 
within the disclosure below for 2019. 


The future aggregate minimum lease payments under non-cancellable leases not 
accounted for elsewhere under IFRS16 are as follows 


31 March 2020 31 March 2019 


Total future minimum lease payments under 


operating leases are: £'000 £'000 
Not later than one year Z5 1,320 
Later than one year and not later than five years 96 3,296 


Later than five years z = 


171 4,616 


The minimum lease payments are determined from the relevant lease 
agreements and do not reflect possible increases as a result of market-based 
reviews. The lease expenditure charged to the Statement of Comprehensive Net 
Expenditure during the year is disclosed in note 4. 


17. Related party transactions 


The Information Commissioner confirms that she had no personal business 
interests which conflict with her responsibilities as Information Commissioner. 


During the financial year 2019/20 the DCMS was a related party to the 
Information Commissioner. 


During the year no related party transactions were entered into, with the 
exception of providing the Information Commissioner with grant-in-aid, other 
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funding and the appropriation-in-aid of Civil Monetary Penalty and sundry 
receipts to the Ministry of Justice for surrender to the Consolidated Fund. 


In addition, the Information Commissioner has had various material transactions 
with other central government bodies, most of these transactions have been 
with the Principal Civil Service Pension Scheme (PCSPS). 


None of the key managerial staff or other related parties has undertaken any 
material transaction with the Information Commissioner during the year. 


18. Contingent liabilities 


There are no contingent liabilities at 31 March 2020 (31 March 2019: none). 


19. Events after the reporting period 


There were no events between the Statement of Financial Position date and the 
date the accounts were authorised for issue, which is interpreted as the date of 
the Certificate and Report of the Comptroller and Auditor General. 
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